ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-31 21:27:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

merge into: ben.carrasco:fix/update-changelog-and-block-1st-item-in-providers-selector
Branches Tags
ben.carrasco:master ben.carrasco:fix/ui-findings-groups-improvements ben.carrasco:feat/vercel-api ben.carrasco:feat/PROWLER-944-stage-4-image-provider-cloud-app-docs ben.carrasco:fix/ui-findings-groups-security-fixes ben.carrasco:fix/ui-findings-groups-pepe-ux ben.carrasco:feat/prowler-628-bedrock-marketplace-subscription-access-least-privilege ben.carrasco:feat/prowler-450-organization-switch ben.carrasco:PROWLER-1253-implement-directory-service-checks-for-google-workspace-provider-clean ben.carrasco:v5.22 ben.carrasco:dependabot/uv/mcp_server/pygments-2.20.0 ben.carrasco:dependabot/pip/api/pygments-2.20.0 ben.carrasco:dependabot/pip/pygments-2.20.0 ben.carrasco:fix/ui-findings-groups-pepe-blockers ben.carrasco:chore/pnpm-supply-chain-protection ben.carrasco:aws-regions-update-179 ben.carrasco:chore/fix-step-security ben.carrasco:dependabot/uv/mcp_server/cryptography-46.0.6 ben.carrasco:chore/GHA-271823-stepsecurity-remediation ben.carrasco:chore/GHA-261831-stepsecurity-remediation ben.carrasco:dependabot/pip/requests-2.33.0 ben.carrasco:dependabot/uv/mcp_server/requests-2.33.0 ben.carrasco:dependabot/pip/api/requests-2.33.0 ben.carrasco:k8s-ocsf ben.carrasco:mcp-resource-timeline-tool ben.carrasco:PROWLER-1251-porting-attack-paths-scan-temporary-database-from-neo-4-j-to-grafeo ben.carrasco:PROWLER-1250-extend-resource-group-filter-for-all-providers ben.carrasco:dependabot/pip/api/authlib-1.6.9 ben.carrasco:dependabot/pip/api/pyasn1-0.6.3 ben.carrasco:dependabot/pip/authlib-1.6.9 ben.carrasco:dependabot/pip/pyjwt-2.12.0 ben.carrasco:dependabot/pip/master/moto-5.1.21 ben.carrasco:feat/aspm-provider ben.carrasco:fix/oraclecloud-idp-group-mapping-events-10411 ben.carrasco:feat/vercel-ui ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries--second-attempt ben.carrasco:v5.21 ben.carrasco:dependabot/pip/api/pyjwt-2.12.0 ben.carrasco:aws-regions-update-175 ben.carrasco:feat/s3-bucket-website-hosting-check ben.carrasco:fix/legacy-metadata-validators-error ben.carrasco:dependabot/uv/mcp_server/authlib-1.6.9 ben.carrasco:dependabot/uv/mcp_server/fastmcp-2.14.2 ben.carrasco:dependabot/uv/mcp_server/pyjwt-2.12.0 ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries ben.carrasco:dependabot/npm_and_yarn/ui/next-16.1.7 ben.carrasco:dependabot/pip/pyasn1-0.6.3 ben.carrasco:backport/v5.20/pr-10360 ben.carrasco:feat/add-rbi-compliance-gcp ben.carrasco:feat/github-organization-repository-deletion-limited ben.carrasco:backport/v5.20/pr-10314 ben.carrasco:PRWLR-7706-add-pydantic-validators-to-check-metadata-model-per-rfc-specification ben.carrasco:k8s-dedup-rbac-findings-subject ben.carrasco:v5.20 ben.carrasco:fix/ci-e2e-empty-test-dirs ben.carrasco:v5.19 ben.carrasco:feat/prowler-683-4-cli-integration ben.carrasco:feat/prowler-683-3-compliance-jsons ben.carrasco:feat/prowler-683-2-universal-outputs ben.carrasco:feat/prowler-683-1-universal-models ben.carrasco:backport/v5.19/pr-10270 ben.carrasco:fix/attack-paths-elb-exposed-internet ben.carrasco:DEVREL-93-prowler-gha-poc-as-gh-service ben.carrasco:fix/codeartifact-list-package-versions-unbounded-fetch ben.carrasco:copilot/sub-pr-10236 ben.carrasco:feat/prowler-1151-entra-conditional-access-policy-unknown-device-blocked ben.carrasco:DEVREL-93-prowler-gha-poc ben.carrasco:ensure-key-format-cloudflare ben.carrasco:aws-regions-update-174 ben.carrasco:feat/prowler-1140-entra-legacy-authentication-blocked ben.carrasco:feat/vercel ben.carrasco:fix-ocsf-params ben.carrasco:v5.18 ben.carrasco:dependabot/pip/api/werkzeug-3.1.6 ben.carrasco:dependabot/pip/api/flask-3.1.3 ben.carrasco:dependabot/uv/mcp_server/python-multipart-0.0.22 ben.carrasco:feat/prowler-1138-entra-conditional-access-policy-risky-sign-in-mfa ben.carrasco:feat/PROWLER-1091-create-new-stepper-implement-aws-organizations-endpoints ben.carrasco:feat/PROWLER-943-image-provider-ui ben.carrasco:dependabot/pip/werkzeug-3.1.6 ben.carrasco:dependabot/pip/flask-3.1.3 ben.carrasco:dependabot/pip/protobuf-6.33.5 ben.carrasco:feat/prowler-1139-entra-conditional-access-policy-require-password-change-high-risk-users ben.carrasco:feat/PROWLER-943-stage-3-a-image-provider-ui ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-rebased ben.carrasco:fix-reporting-docs-1771930526 ben.carrasco:feat/prowler-837-entra-guest-users-mfa-enabled ben.carrasco:feat/prowler-838-entra-sign-in-frequency-for-non-corporate-devices ben.carrasco:feat/prowler-836-entra-policy-blocks-unknown-unsupported-device-platforms ben.carrasco:docs-agentic-workflow ben.carrasco:aws-regions-update-173 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-redo ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-v2 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-support ben.carrasco:dependabot/pip/api/cryptography-46.0.5 ben.carrasco:PROWLER-1099-api-scan-schedule-model-provider-fk-migration ben.carrasco:PROWLER-1100-api-crud-endpoints ben.carrasco:PROWLER-1098-cron-based-scan-scheduling ben.carrasco:copilot/fix-return-in-finally-block ben.carrasco:review_metadata_gcp_artifacts ben.carrasco:feat/prowler-836-entra-policy-unknown-unsupported-device-platforms-blocked ben.carrasco:PROWLER-1033-start-api-without-neo-4-j ben.carrasco:PROWLER-1084-skill-prowler-changelog-review ben.carrasco:revert-10028-fix/fidings-filters-navitagion-fail-v4 ben.carrasco:backport/v5.18/pr-10028 ben.carrasco:backport/v5.18/pr-10025 ben.carrasco:backport/v5.18/pr-10021 ben.carrasco:backport/v5.18/pr-10017 ben.carrasco:feat/elasticsearch-integration ben.carrasco:fix/ui-scans-polling-optimization ben.carrasco:image-scan-poc ben.carrasco:dependabot/pip/master/pytest-cov-6.3.0 ben.carrasco:dependabot/pip/master/coverage-7.10.7 ben.carrasco:dependabot/pip/master/pytest-8.4.2 ben.carrasco:dependabot/pip/master/pre-commit-4.3.0 ben.carrasco:dependabot/pip/master/flake8-7.3.0 ben.carrasco:dependabot/pip/master/freezegun-1.5.5 ben.carrasco:dependabot/pip/master/marshmallow-4.0.1 ben.carrasco:dependabot/pip/master/openapi-spec-validator-0.7.2 ben.carrasco:dependabot/pip/master/pytest-xdist-3.8.0 ben.carrasco:dependabot/pip/master/bandit-1.8.6 ben.carrasco:dependabot/pip/master/black-25.11.0 ben.carrasco:dependabot/pip/master/pytest-randomly-4.0.1 ben.carrasco:dependabot/pip/master/pylint-3.3.9 ben.carrasco:PROWLER-960-jwt-key-generation-fails-with-permission-error-on-fresh-docker-compose-deployment ben.carrasco:aws-regions-update-170 ben.carrasco:feat/prowler-838-entra-conditional-access-policy-enforce-sign-in-frequency ben.carrasco:v5.17 ben.carrasco:dependabot/pip/api/azure-core-1.38.0 ben.carrasco:feat/PROWLER-774-Findings-Hierarchical-Tree-View-Check-Resources ben.carrasco:PROWLER-822-high-cloudflare-zone-waf-enabled-check-false-positive ben.carrasco:backport/v5.17/pr-9892 ben.carrasco:PROWLER-690-feature-add-batch-provider-creation-endpoint-api ben.carrasco:feat/migrate-to-prek ben.carrasco:aws-regions-update-169 ben.carrasco:PROWLER-693-enhancement-add-status-field-to-provider-model-api ben.carrasco:aws-regions-update-168 ben.carrasco:dependabot/uv/mcp_server/starlette-0.49.1 ben.carrasco:dependabot/uv/mcp_server/urllib3-2.6.3 ben.carrasco:PROWLER-512-merge-attack-paths ben.carrasco:v5.16 ben.carrasco:attack-paths-demo-extras ben.carrasco:PROWLER-511-solve-one-neo-4-j-database-per-provider ben.carrasco:fix/black-formatting-validate-compliance ben.carrasco:feat/prowler-compliance-review-skill ben.carrasco:PROWLER-663-improve-skill-md-and-correct-typos-for-the-compliance-part ben.carrasco:dependabot/pip/master/google-auth-httplib2-0.2.1 ben.carrasco:feat/sns-integration ben.carrasco:feat/github-integration ben.carrasco:update-api-lock ben.carrasco:fix/v5.16-version-alignment ben.carrasco:api-5.16-changelog ben.carrasco:v5.15 ben.carrasco:feat/PROWLER-22-Risk-Radar-Component-UI-2 ben.carrasco:backport/v5.15/pr-9567 ben.carrasco:feat/api-query-performance-guide ben.carrasco:feat/ui-gga-code-review ben.carrasco:backport/v5.15/pr-9558 ben.carrasco:aws-regions-update-163 ben.carrasco:PROWLER-481-issues-with-ia-c-scan-in-bug-repos ben.carrasco:add-search-provider-bar ben.carrasco:chore/ui-e2e-cloud-tests ben.carrasco:feat/ui-scans-resources-link ben.carrasco:backport/v5.14/pr-9489 ben.carrasco:backport/v5.14/pr-9487 ben.carrasco:aws-regions-update-162 ben.carrasco:feat/PROWLER-34-Risk-Plot-Component-UI ben.carrasco:rbi-framework-support ben.carrasco:PROWLER-XX-separate-runner-for-aws-tests ben.carrasco:v5.14 ben.carrasco:feat/api-providers-severity-endpoint ben.carrasco:feat/PROWLER-447-Attack-surface-component-Front ben.carrasco:backport/v5.14/pr-9345 ben.carrasco:aws-regions-update-161 ben.carrasco:PROWLER-182-kubernetes-add-and-connect-the-provider ben.carrasco:PROWLER-181-gcp-add-and-connect-the-provider ben.carrasco:backport/v5.13/pr-9274 ben.carrasco:PRWLR-7853-asff-first-observed-at-is-not-taking-into-account-the-finding-can-exist ben.carrasco:backport/v5.13/pr-9208 ben.carrasco:v5.13 ben.carrasco:PRWLR-7885-fix-report-timestamps ben.carrasco:DEVREL-115-fix-anchors ben.carrasco:backport/v5.13/pr-9054 ben.carrasco:PROWLER-285-aws-add-an-connect-the-provider-sdk-default-env ben.carrasco:prwlr-7751-github-app-authentication-incorrectly-handles-key-parameter-and-environment-variables ben.carrasco:PROWLER-376-update-docs-with-gcp-permissions ben.carrasco:DEVREL-98-include-open-api-specification-in-mintlify ben.carrasco:add-timeout-thread ben.carrasco:DEVREL-109-add-link-to-aws-console-in-aws-findings ben.carrasco:PROWLER-185-launch-scheduled-scan ben.carrasco:add-links-to-iac-findings ben.carrasco:PROWLER-186-launch-on-demand-scan ben.carrasco:chore-api-prowler-version-update ben.carrasco:api-mintlify-docs ben.carrasco:PROWLER-188-invite-new-user ben.carrasco:PROWLER-197-out-of-scope-github-add-an-connect-the-provider ben.carrasco:PROWLER-XX-check-all-checks-have-passed ben.carrasco:backport/v5.13/pr-9062 ben.carrasco:PROWLER-253-extract-aws-data-from-prowler-database-and-transform-it-to-be-ingested-by-cartography ben.carrasco:workshop-as-docs ben.carrasco:create-alibaba-provider ben.carrasco:PRWLR-7835-amazon-bedrock ben.carrasco:feat/gcp-cloudstorage-versioning-enabled ben.carrasco:feat/cloudflare-provider ben.carrasco:feat/stuck-scans-command ben.carrasco:PROWLER-XX-update-changelogs ben.carrasco:refactor/graph-components-kebab-case ben.carrasco:fix-threatscore-s3-location ben.carrasco:demo-api-key ben.carrasco:trigger-preview ben.carrasco:api-changelog-1-14 ben.carrasco:feat/PRWLR-7763-new-credentials-form ben.carrasco:PROWLER-258-github-social-sign-up ben.carrasco:feat/PRWLR-7933-UI-Api-Key ben.carrasco:attribute-error-in-m365 ben.carrasco:v5.12 ben.carrasco:api-keys-docs-improvement ben.carrasco:iac-in-the-app ben.carrasco:pr-8743 ben.carrasco:PRWLR-8174-add-additional-compliance-information-to-compliance-detail-page-ui ben.carrasco:PRWLR-7170-improve-html-output-in-prowler ben.carrasco:todo-check-class ben.carrasco:review-metadata-aws-neptune ben.carrasco:fix/nextjs-cache-folder-not-found ben.carrasco:update-api-dependency-v5.12-1757406446 ben.carrasco:aws-services-regions-updated-422a8a0f625cee103be5e5a97b9639f49997b949 ben.carrasco:PRWLR-7873-add-all-finding-fields-in-the-ticket-summary-table-jira ben.carrasco:backport/v5.11/pr-8619 ben.carrasco:backport/v5.11/pr-8629 ben.carrasco:backport/v5.11/pr-8638 ben.carrasco:aws-services-regions-updated-fdb76e78207e10cf07660bbfa70665fc6552c0dd ben.carrasco:v5.11 ben.carrasco:nitpicks/7e7fce94-067a-47b0-b6d1-9b1f4ccac28f ben.carrasco:PRWLR-6707-create-a-way-of-reporting-for-prowler-threatscore ben.carrasco:v5.10 ben.carrasco:fix-threatscore-scoring ben.carrasco:PRWLR-7212-recommend-fix ben.carrasco:PRWLR-7784-cloud-providers-connection-filter-status-labels ben.carrasco:add-posthog-integration ben.carrasco:PRWLR-7732-add-mutelist-menu-item ben.carrasco:v5.9 ben.carrasco:alert-autofix-55 ben.carrasco:PRWLR-7212-recommend ben.carrasco:nitpicks/678b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359176 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359175 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359174 ben.carrasco:PRWLR-7606-add-github-provider-to-ui ben.carrasco:fix/kisa-isms-p_compilance ben.carrasco:fix-gh-typo ben.carrasco:backport/v5.9/pr-8265 ben.carrasco:PRWLR-7569-create-different-flows-of-onboarding-in-m-365 ben.carrasco:feature/add-posthog-analytics ben.carrasco:PRWLR-7635-mongodbatlas-additional-checks ben.carrasco:PRWLR-7635-mongodbatlas-provider-foundation ben.carrasco:v5.8 ben.carrasco:PRWLR-6064-change-user-deletion-api-response ben.carrasco:backport/v5.8/pr-8257 ben.carrasco:backport/v5.7/pr-8270 ben.carrasco:update-fixers-docs ben.carrasco:PRWLR-7205-migrate-fixers-to-new-class-structure ben.carrasco:PRWLR-5093-design-the-fixer-class ben.carrasco:PRWLR-7597-fix-and-optimize-search-filters-for-findings-and-resources ben.carrasco:backport/v5.8/pr-8253 ben.carrasco:PRWLR-7512-create-custom-link-component ben.carrasco:PRWLR-7524-improve-api-performance-on-scan-page-using-include-param ben.carrasco:v5.7 ben.carrasco:PRWLR-7386-playwright-setup-nextjs ben.carrasco:backport/v5.7/pr-8087 ben.carrasco:PRWLR-7459-support-for-scanning-remote-git-repositories-specified-by-url ben.carrasco:api-add-missing-map ben.carrasco:PRWLR-7346-create-a-db-helper-to-create-indexes-following-best-practices ben.carrasco:PRWLR-4758-django-must-support-read-only-replica-database-config ben.carrasco:PRWLR-7134-api-performance-tests-for-resources ben.carrasco:fix/update-changelog-and-block-1st-item-in-providers-selector ben.carrasco:psql-proxy ben.carrasco:PRWLR-7292-old-scans-not-shown-when-all-providers-have-connection-fail ben.carrasco:PRWLR-7160-findings-page-scan-id-filter-improvement ben.carrasco:showdown-demo ben.carrasco:backport/v5.7/pr-7928 ben.carrasco:PRWLR-7302-nextjs-analyst ben.carrasco:backport/v5.7/pr-7921 ben.carrasco:PRWLR-7297-django-endpoint ben.carrasco:api-changelog-5.7.2 ben.carrasco:update-changelog ben.carrasco:PRWLR-7318-add-ia-c-provider-tests ben.carrasco:PRWLR-6367-create-a-finding-new-uid-column-to-avoid-length-limitations ben.carrasco:PRWLR-5556-ensure-inactive-users-are-reviewed-and-removed-periodically ben.carrasco:fix/7508-review-fixes ben.carrasco:PRWLR-5989-ensure-that-spf-records-are-published-for-all-exchange ben.carrasco:v5.6 ben.carrasco:backport/v5.6/pr-7746 ben.carrasco:PRWLR-7117-implement-new-findings-latest-endpoint-API-UI ben.carrasco:poc-ui-e2e ben.carrasco:review-changelogs-for-v5.6 ben.carrasco:v5.5 ben.carrasco:PRWLR-6373-Implement-Compliance-Outputs-UI-temp ben.carrasco:PRWLR-6886-sdk-aws-resource-po-c ben.carrasco:PRWLR-6834-exclude-checks-in-prowler-api ben.carrasco:improve-rls-policies ben.carrasco:M365-testing ben.carrasco:PRWLR-6643-capture-sentry-exceptions ben.carrasco:PRWLR-6464-running-into-302-error-subscription-could-not-be-found-7214 ben.carrasco:v4.6 ben.carrasco:PRWLR-6469-review-resource-types-in-check-metadata-2nd-round ben.carrasco:v5.4 ben.carrasco:backport/v4.6/pr-7420 ben.carrasco:v3 ben.carrasco:backport/v4.6/pr-7410 ben.carrasco:backport/v4.6/pr-7330 ben.carrasco:backport/v3/pr-7330 ben.carrasco:improve-deletion-process ben.carrasco:PRWLR-6502-improve-docs-adding-videos ben.carrasco:PRWLR-6472-add-docs-inside-ui-page-for-each-provider ben.carrasco:PRWLR-6455-change-microsoft-365-check-names ben.carrasco:revert-7112-PRWLR-6398-upgrade-poetry-to-v-2-in-prowler ben.carrasco:fix-api-prowler-dep ben.carrasco:backport/v4.6/pr-7205 ben.carrasco:backport/v5.4/pr-7141 ben.carrasco:v5.3 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart-v2 ben.carrasco:backport/v5.2/pr-6947 ben.carrasco:backport/v4.6/pr-6896 ben.carrasco:backport/v4.6/pr-6908 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart ben.carrasco:PRWLR-5860-ensure-security-defaults-is-disabled ben.carrasco:v5.2 ben.carrasco:backport/v3/pr-6823 ben.carrasco:backport/v3/pr-6822 ben.carrasco:backport/v3/pr-6824 ben.carrasco:PRWLR-6129-review-check-report-init-for-region-resource-id-resource-arn ben.carrasco:PRWLR-5956-Export-Artifacts ben.carrasco:PRWLR-6143-fix-error-related-with-detect-secrets ben.carrasco:v5.1 ben.carrasco:v5.0 ben.carrasco:backport/v3/pr-6611 ben.carrasco:backport/v3/pr-6352 ben.carrasco:PRWLR-5573-ensure-scanners-are-in-place-for-open-source-vulnerabilities-in-used-packages ben.carrasco:PRWLR-4669-Roles-Page-UI-with-API-changes ben.carrasco:PRWLR-5831-review-and-fix-all-the-nonetypes-from-prod-logs ben.carrasco:PRWLR-4669-Roles-Page-API-UI ben.carrasco:PRWLR-5516-ensure-branch-protection-is-enforced-on-the-default-branch ben.carrasco:PRWLR-5535-ensure-linear-history-is-required ben.carrasco:backport/v3/pr-6122 ben.carrasco:PRWLR-5696-debug-django-loosing-db-connections ben.carrasco:backport/v4.4/pr-5195 ben.carrasco:PRWLR-5513-enforce-two-approval-requirement-for-code-changes-in-git-hub-repositories ben.carrasco:PRWLR-5550-Scans-New-attribute-Next-scan-schedule ben.carrasco:backport/v3/pr-5961 ben.carrasco:PRWLR-4785-remove-only-logs ben.carrasco:v4.5 ben.carrasco:PRWLR-5281-po-c-development ben.carrasco:PRWLR-5266-review-checks-executed-by-sdk-and-cli ben.carrasco:v4.4 ben.carrasco:PRWLR-4539-iam-customer-managed-policies-should-not-allow-decryption-actions-on-all-kms-keys ben.carrasco:PRWLR-4554-open-search-domains-should-have-at-least-three-data-nodes-with-zone-awareness-enabled ben.carrasco:PRWLR-4969-ensure-elasticsearch-domains-have-at-least-three-dedicated-master-nodes ben.carrasco:prowler-inventory ben.carrasco:PRWLR-4985-fix-resource-type-aws-metadata ben.carrasco:PRWLR-4782-research-about-removing-the-checks-metadata-loading-from-the-check-class ben.carrasco:v4.3 ben.carrasco:PRWLR-4785-review-only-logs-and-remove-it ben.carrasco:PRWLR-4820-error-in-gcp-execution-error-global-key-error-32-accounts ben.carrasco:PRWLR-4778-git-hub-issue-ensure-no-security-groups-allow-ingress-from-wide-open-non-rfc-1918-address-false-positive-4936 ben.carrasco:improve-ocsf ben.carrasco:PRWLR-4674-refactor-cloudfront-service ben.carrasco:dev-memory-management-optimization-poc ben.carrasco:PRWLR-4601-conflicting-documentation-for-mutelist-tags-on-aws-4782 ben.carrasco:PRWLR-4226-bad-dynamo-db-checks-i-ds ben.carrasco:PRWLR-3963-Create-new-tests-for-new-impersonate-account-of-GCP ben.carrasco:revert-4202-bugfix/execute-custom-rules ben.carrasco:v4.2 ben.carrasco:PRWLR-3773-add-listing-functions-to-new-cli ben.carrasco:PRWLR-3778-kubernetes-core-service-error ben.carrasco:PRWLR-3635-Azure-Review-checks-iam_subscription_roles_owner_custom_not_created-and-iam_custom_role_has_permissions_to_administer_resource_locks ben.carrasco:PRWLR-752-run-subservices-by-service-subservices ben.carrasco:PRWLR-2756-OSS-Amazon-Managed-Streaming-for-Apache-Kafka-MSK-Checks ben.carrasco:PRWLR-3666-bug-check-failing-due-to-iam-roles-created-by-aws-control-tower-and-aft-with-administrator-access-policy-3810 ben.carrasco:elasticache-keyerror ben.carrasco:PRWLR-3580-oss-map-k-8-s-checks-to-mitre-att-ck-framework ben.carrasco:cis-azure-fixes ben.carrasco:3865-bug-efs_not_publicly_accessible-does-not-consider-recommended-aws-condition ben.carrasco:v4.1 ben.carrasco:new-public-exposed-checks ben.carrasco:json-ocsf-checkid ben.carrasco:ens_compliance ben.carrasco:work-on-audit-manager ben.carrasco:refactor-audit-info-sagemaker ben.carrasco:bypass-compute-service ben.carrasco:fix-audit-info-tests ben.carrasco:PRWLR-2798-prowler-create-flag-to-remove-output-files-if-sent-to-an-external-provider ben.carrasco:fix-vpc_different_regions ben.carrasco:prowler-2 ben.carrasco:load-once-checks-metadata-info
ben.carrasco:5.22.0 ben.carrasco:5.21.1 ben.carrasco:5.21.0 ben.carrasco:5.20.0 ben.carrasco:5.19.0 ben.carrasco:5.18.3 ben.carrasco:5.18.2 ben.carrasco:5.18.1 ben.carrasco:5.18.0 ben.carrasco:5.17.1 ben.carrasco:5.17.0 ben.carrasco:5.16.1 ben.carrasco:5.16.0 ben.carrasco:5.15.1 ben.carrasco:5.15.0 ben.carrasco:5.14.2 ben.carrasco:5.14.1 ben.carrasco:5.14.0 ben.carrasco:5.13.1 ben.carrasco:5.13.0 ben.carrasco:5.12.3 ben.carrasco:5.12.2 ben.carrasco:5.12.1 ben.carrasco:5.12.0 ben.carrasco:5.11.0 ben.carrasco:5.10.2 ben.carrasco:5.10.1 ben.carrasco:5.10.0 ben.carrasco:5.9.2 ben.carrasco:5.9.1 ben.carrasco:5.9.0 ben.carrasco:5.8.1 ben.carrasco:5.8.0 ben.carrasco:5.7.5 ben.carrasco:5.7.4 ben.carrasco:5.7.3 ben.carrasco:5.7.2 ben.carrasco:5.7.1 ben.carrasco:5.7.0 ben.carrasco:5.6.0 ben.carrasco:5.5.1 ben.carrasco:5.5.0 ben.carrasco:5.4.4 ben.carrasco:5.4.3 ben.carrasco:5.4.2 ben.carrasco:5.4.1 ben.carrasco:5.4.0 ben.carrasco:5.3.0 ben.carrasco:5.2.3 ben.carrasco:5.2.2 ben.carrasco:5.2.1 ben.carrasco:5.2.0 ben.carrasco:5.1.5 ben.carrasco:5.1.4 ben.carrasco:5.1.3 ben.carrasco:5.1.2 ben.carrasco:5.1.1 ben.carrasco:5.1.0 ben.carrasco:5.0.5 ben.carrasco:5.0.4 ben.carrasco:5.0.3 ben.carrasco:5.0.2 ben.carrasco:5.0.1 ben.carrasco:4.6.2 ben.carrasco:5.0.0 ben.carrasco:4.6.1 ben.carrasco:4.6.0 ben.carrasco:4.5.3 ben.carrasco:4.5.2 ben.carrasco:4.5.1 ben.carrasco:4.5.0 ben.carrasco:4.4.1 ben.carrasco:4.4.0 ben.carrasco:4.3.7 ben.carrasco:4.3.6 ben.carrasco:3.16.17 ben.carrasco:4.3.5 ben.carrasco:4.3.4 ben.carrasco:3.16.16 ben.carrasco:3.16.15 ben.carrasco:4.3.3 ben.carrasco:4.3.2 ben.carrasco:4.3.1 ben.carrasco:4.3.0 ben.carrasco:3.16.14 ben.carrasco:3.16.13 ben.carrasco:3.16.12 ben.carrasco:3.16.11 ben.carrasco:3.16.10 ben.carrasco:4.2.4 ben.carrasco:4.2.3 ben.carrasco:3.16.9 ben.carrasco:4.2.2 ben.carrasco:3.16.8 ben.carrasco:3.16.7 ben.carrasco:3.16.6 ben.carrasco:4.2.1 ben.carrasco:4.2.0 ben.carrasco:3.16.5 ben.carrasco:3.16.4 ben.carrasco:3.16.3 ben.carrasco:4.1.0 ben.carrasco:3.16.2 ben.carrasco:3.16.1 ben.carrasco:4.0.1 ben.carrasco:4.0.0 ben.carrasco:3.16.0 ben.carrasco:3.15.3 ben.carrasco:3.15.2 ben.carrasco:3.15.1 ben.carrasco:3.15.0 ben.carrasco:3.14.0 ben.carrasco:3.13.1 ben.carrasco:3.13.0 ben.carrasco:3.12.1 ben.carrasco:3.12.0 ben.carrasco:3.11.3 ben.carrasco:3.11.2 ben.carrasco:3.11.1 ben.carrasco:3.11.0 ben.carrasco:3.10.0 ben.carrasco:3.9.0 ben.carrasco:3.8.2 ben.carrasco:3.8.1 ben.carrasco:3.8.0 ben.carrasco:3.7.2 ben.carrasco:3.7.1 ben.carrasco:3.7.0 ben.carrasco:3.6.1 ben.carrasco:3.6.0 ben.carrasco:3.5.3 ben.carrasco:3.5.2 ben.carrasco:3.5.1 ben.carrasco:3.5.0 ben.carrasco:3.4.1 ben.carrasco:3.4.0 ben.carrasco:3.3.4 ben.carrasco:3.3.3 ben.carrasco:3.3.2 ben.carrasco:3.3.1 ben.carrasco:3.3.0 ben.carrasco:3.2.4 ben.carrasco:3.2.3 ben.carrasco:3.2.2 ben.carrasco:3.2.1 ben.carrasco:3.2.0 ben.carrasco:3.1.4 ben.carrasco:3.1.3 ben.carrasco:3.1.2 ben.carrasco:3.1.1 ben.carrasco:3.1.0 ben.carrasco:3.0.2 ben.carrasco:3.0.1 ben.carrasco:3.0.0 ben.carrasco:2.12.1 ben.carrasco:2.12.0 ben.carrasco:2.11.0 ben.carrasco:2.10.0 ben.carrasco:2.9.0 ben.carrasco:2.8.1 ben.carrasco:2.8.0 ben.carrasco:2.7.0 ben.carrasco:2.6.1 ben.carrasco:2.6.0 ben.carrasco:2.5.0 ben.carrasco:2.4.1 ben.carrasco:2.4.0 ben.carrasco:2.3.0-18122020 ben.carrasco:2.3.0RC ben.carrasco:2.2.0 ben.carrasco:2.0 ben.carrasco:2.0-Beta ben.carrasco:1.6 ben.carrasco:1.5 ben.carrasco:1.4 ben.carrasco:1.3 ben.carrasco:1.2 ben.carrasco:1.1.1 ben.carrasco:1.1 ben.carrasco:1.0
...
pull from: ben.carrasco:PRWLR-4969-ensure-elasticsearch-domains-have-at-least-three-dedicated-master-nodes
Branches Tags
ben.carrasco:fix/ui-findings-groups-improvements ben.carrasco:feat/vercel-api ben.carrasco:feat/PROWLER-944-stage-4-image-provider-cloud-app-docs ben.carrasco:fix/ui-findings-groups-security-fixes ben.carrasco:fix/ui-findings-groups-pepe-ux ben.carrasco:master ben.carrasco:feat/prowler-628-bedrock-marketplace-subscription-access-least-privilege ben.carrasco:feat/prowler-450-organization-switch ben.carrasco:PROWLER-1253-implement-directory-service-checks-for-google-workspace-provider-clean ben.carrasco:v5.22 ben.carrasco:dependabot/uv/mcp_server/pygments-2.20.0 ben.carrasco:dependabot/pip/api/pygments-2.20.0 ben.carrasco:dependabot/pip/pygments-2.20.0 ben.carrasco:fix/ui-findings-groups-pepe-blockers ben.carrasco:chore/pnpm-supply-chain-protection ben.carrasco:aws-regions-update-179 ben.carrasco:chore/fix-step-security ben.carrasco:dependabot/uv/mcp_server/cryptography-46.0.6 ben.carrasco:chore/GHA-271823-stepsecurity-remediation ben.carrasco:chore/GHA-261831-stepsecurity-remediation ben.carrasco:dependabot/pip/requests-2.33.0 ben.carrasco:dependabot/uv/mcp_server/requests-2.33.0 ben.carrasco:dependabot/pip/api/requests-2.33.0 ben.carrasco:k8s-ocsf ben.carrasco:mcp-resource-timeline-tool ben.carrasco:PROWLER-1251-porting-attack-paths-scan-temporary-database-from-neo-4-j-to-grafeo ben.carrasco:PROWLER-1250-extend-resource-group-filter-for-all-providers ben.carrasco:dependabot/pip/api/authlib-1.6.9 ben.carrasco:dependabot/pip/api/pyasn1-0.6.3 ben.carrasco:dependabot/pip/authlib-1.6.9 ben.carrasco:dependabot/pip/pyjwt-2.12.0 ben.carrasco:dependabot/pip/master/moto-5.1.21 ben.carrasco:feat/aspm-provider ben.carrasco:fix/oraclecloud-idp-group-mapping-events-10411 ben.carrasco:feat/vercel-ui ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries--second-attempt ben.carrasco:v5.21 ben.carrasco:dependabot/pip/api/pyjwt-2.12.0 ben.carrasco:aws-regions-update-175 ben.carrasco:feat/s3-bucket-website-hosting-check ben.carrasco:fix/legacy-metadata-validators-error ben.carrasco:dependabot/uv/mcp_server/authlib-1.6.9 ben.carrasco:dependabot/uv/mcp_server/fastmcp-2.14.2 ben.carrasco:dependabot/uv/mcp_server/pyjwt-2.12.0 ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries ben.carrasco:dependabot/npm_and_yarn/ui/next-16.1.7 ben.carrasco:dependabot/pip/pyasn1-0.6.3 ben.carrasco:backport/v5.20/pr-10360 ben.carrasco:feat/add-rbi-compliance-gcp ben.carrasco:feat/github-organization-repository-deletion-limited ben.carrasco:backport/v5.20/pr-10314 ben.carrasco:PRWLR-7706-add-pydantic-validators-to-check-metadata-model-per-rfc-specification ben.carrasco:k8s-dedup-rbac-findings-subject ben.carrasco:v5.20 ben.carrasco:fix/ci-e2e-empty-test-dirs ben.carrasco:v5.19 ben.carrasco:feat/prowler-683-4-cli-integration ben.carrasco:feat/prowler-683-3-compliance-jsons ben.carrasco:feat/prowler-683-2-universal-outputs ben.carrasco:feat/prowler-683-1-universal-models ben.carrasco:backport/v5.19/pr-10270 ben.carrasco:fix/attack-paths-elb-exposed-internet ben.carrasco:DEVREL-93-prowler-gha-poc-as-gh-service ben.carrasco:fix/codeartifact-list-package-versions-unbounded-fetch ben.carrasco:copilot/sub-pr-10236 ben.carrasco:feat/prowler-1151-entra-conditional-access-policy-unknown-device-blocked ben.carrasco:DEVREL-93-prowler-gha-poc ben.carrasco:ensure-key-format-cloudflare ben.carrasco:aws-regions-update-174 ben.carrasco:feat/prowler-1140-entra-legacy-authentication-blocked ben.carrasco:feat/vercel ben.carrasco:fix-ocsf-params ben.carrasco:v5.18 ben.carrasco:dependabot/pip/api/werkzeug-3.1.6 ben.carrasco:dependabot/pip/api/flask-3.1.3 ben.carrasco:dependabot/uv/mcp_server/python-multipart-0.0.22 ben.carrasco:feat/prowler-1138-entra-conditional-access-policy-risky-sign-in-mfa ben.carrasco:feat/PROWLER-1091-create-new-stepper-implement-aws-organizations-endpoints ben.carrasco:feat/PROWLER-943-image-provider-ui ben.carrasco:dependabot/pip/werkzeug-3.1.6 ben.carrasco:dependabot/pip/flask-3.1.3 ben.carrasco:dependabot/pip/protobuf-6.33.5 ben.carrasco:feat/prowler-1139-entra-conditional-access-policy-require-password-change-high-risk-users ben.carrasco:feat/PROWLER-943-stage-3-a-image-provider-ui ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-rebased ben.carrasco:fix-reporting-docs-1771930526 ben.carrasco:feat/prowler-837-entra-guest-users-mfa-enabled ben.carrasco:feat/prowler-838-entra-sign-in-frequency-for-non-corporate-devices ben.carrasco:feat/prowler-836-entra-policy-blocks-unknown-unsupported-device-platforms ben.carrasco:docs-agentic-workflow ben.carrasco:aws-regions-update-173 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-redo ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-v2 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-support ben.carrasco:dependabot/pip/api/cryptography-46.0.5 ben.carrasco:PROWLER-1099-api-scan-schedule-model-provider-fk-migration ben.carrasco:PROWLER-1100-api-crud-endpoints ben.carrasco:PROWLER-1098-cron-based-scan-scheduling ben.carrasco:copilot/fix-return-in-finally-block ben.carrasco:review_metadata_gcp_artifacts ben.carrasco:feat/prowler-836-entra-policy-unknown-unsupported-device-platforms-blocked ben.carrasco:PROWLER-1033-start-api-without-neo-4-j ben.carrasco:PROWLER-1084-skill-prowler-changelog-review ben.carrasco:revert-10028-fix/fidings-filters-navitagion-fail-v4 ben.carrasco:backport/v5.18/pr-10028 ben.carrasco:backport/v5.18/pr-10025 ben.carrasco:backport/v5.18/pr-10021 ben.carrasco:backport/v5.18/pr-10017 ben.carrasco:feat/elasticsearch-integration ben.carrasco:fix/ui-scans-polling-optimization ben.carrasco:image-scan-poc ben.carrasco:dependabot/pip/master/pytest-cov-6.3.0 ben.carrasco:dependabot/pip/master/coverage-7.10.7 ben.carrasco:dependabot/pip/master/pytest-8.4.2 ben.carrasco:dependabot/pip/master/pre-commit-4.3.0 ben.carrasco:dependabot/pip/master/flake8-7.3.0 ben.carrasco:dependabot/pip/master/freezegun-1.5.5 ben.carrasco:dependabot/pip/master/marshmallow-4.0.1 ben.carrasco:dependabot/pip/master/openapi-spec-validator-0.7.2 ben.carrasco:dependabot/pip/master/pytest-xdist-3.8.0 ben.carrasco:dependabot/pip/master/bandit-1.8.6 ben.carrasco:dependabot/pip/master/black-25.11.0 ben.carrasco:dependabot/pip/master/pytest-randomly-4.0.1 ben.carrasco:dependabot/pip/master/pylint-3.3.9 ben.carrasco:PROWLER-960-jwt-key-generation-fails-with-permission-error-on-fresh-docker-compose-deployment ben.carrasco:aws-regions-update-170 ben.carrasco:feat/prowler-838-entra-conditional-access-policy-enforce-sign-in-frequency ben.carrasco:v5.17 ben.carrasco:dependabot/pip/api/azure-core-1.38.0 ben.carrasco:feat/PROWLER-774-Findings-Hierarchical-Tree-View-Check-Resources ben.carrasco:PROWLER-822-high-cloudflare-zone-waf-enabled-check-false-positive ben.carrasco:backport/v5.17/pr-9892 ben.carrasco:PROWLER-690-feature-add-batch-provider-creation-endpoint-api ben.carrasco:feat/migrate-to-prek ben.carrasco:aws-regions-update-169 ben.carrasco:PROWLER-693-enhancement-add-status-field-to-provider-model-api ben.carrasco:aws-regions-update-168 ben.carrasco:dependabot/uv/mcp_server/starlette-0.49.1 ben.carrasco:dependabot/uv/mcp_server/urllib3-2.6.3 ben.carrasco:PROWLER-512-merge-attack-paths ben.carrasco:v5.16 ben.carrasco:attack-paths-demo-extras ben.carrasco:PROWLER-511-solve-one-neo-4-j-database-per-provider ben.carrasco:fix/black-formatting-validate-compliance ben.carrasco:feat/prowler-compliance-review-skill ben.carrasco:PROWLER-663-improve-skill-md-and-correct-typos-for-the-compliance-part ben.carrasco:dependabot/pip/master/google-auth-httplib2-0.2.1 ben.carrasco:feat/sns-integration ben.carrasco:feat/github-integration ben.carrasco:update-api-lock ben.carrasco:fix/v5.16-version-alignment ben.carrasco:api-5.16-changelog ben.carrasco:v5.15 ben.carrasco:feat/PROWLER-22-Risk-Radar-Component-UI-2 ben.carrasco:backport/v5.15/pr-9567 ben.carrasco:feat/api-query-performance-guide ben.carrasco:feat/ui-gga-code-review ben.carrasco:backport/v5.15/pr-9558 ben.carrasco:aws-regions-update-163 ben.carrasco:PROWLER-481-issues-with-ia-c-scan-in-bug-repos ben.carrasco:add-search-provider-bar ben.carrasco:chore/ui-e2e-cloud-tests ben.carrasco:feat/ui-scans-resources-link ben.carrasco:backport/v5.14/pr-9489 ben.carrasco:backport/v5.14/pr-9487 ben.carrasco:aws-regions-update-162 ben.carrasco:feat/PROWLER-34-Risk-Plot-Component-UI ben.carrasco:rbi-framework-support ben.carrasco:PROWLER-XX-separate-runner-for-aws-tests ben.carrasco:v5.14 ben.carrasco:feat/api-providers-severity-endpoint ben.carrasco:feat/PROWLER-447-Attack-surface-component-Front ben.carrasco:backport/v5.14/pr-9345 ben.carrasco:aws-regions-update-161 ben.carrasco:PROWLER-182-kubernetes-add-and-connect-the-provider ben.carrasco:PROWLER-181-gcp-add-and-connect-the-provider ben.carrasco:backport/v5.13/pr-9274 ben.carrasco:PRWLR-7853-asff-first-observed-at-is-not-taking-into-account-the-finding-can-exist ben.carrasco:backport/v5.13/pr-9208 ben.carrasco:v5.13 ben.carrasco:PRWLR-7885-fix-report-timestamps ben.carrasco:DEVREL-115-fix-anchors ben.carrasco:backport/v5.13/pr-9054 ben.carrasco:PROWLER-285-aws-add-an-connect-the-provider-sdk-default-env ben.carrasco:prwlr-7751-github-app-authentication-incorrectly-handles-key-parameter-and-environment-variables ben.carrasco:PROWLER-376-update-docs-with-gcp-permissions ben.carrasco:DEVREL-98-include-open-api-specification-in-mintlify ben.carrasco:add-timeout-thread ben.carrasco:DEVREL-109-add-link-to-aws-console-in-aws-findings ben.carrasco:PROWLER-185-launch-scheduled-scan ben.carrasco:add-links-to-iac-findings ben.carrasco:PROWLER-186-launch-on-demand-scan ben.carrasco:chore-api-prowler-version-update ben.carrasco:api-mintlify-docs ben.carrasco:PROWLER-188-invite-new-user ben.carrasco:PROWLER-197-out-of-scope-github-add-an-connect-the-provider ben.carrasco:PROWLER-XX-check-all-checks-have-passed ben.carrasco:backport/v5.13/pr-9062 ben.carrasco:PROWLER-253-extract-aws-data-from-prowler-database-and-transform-it-to-be-ingested-by-cartography ben.carrasco:workshop-as-docs ben.carrasco:create-alibaba-provider ben.carrasco:PRWLR-7835-amazon-bedrock ben.carrasco:feat/gcp-cloudstorage-versioning-enabled ben.carrasco:feat/cloudflare-provider ben.carrasco:feat/stuck-scans-command ben.carrasco:PROWLER-XX-update-changelogs ben.carrasco:refactor/graph-components-kebab-case ben.carrasco:fix-threatscore-s3-location ben.carrasco:demo-api-key ben.carrasco:trigger-preview ben.carrasco:api-changelog-1-14 ben.carrasco:feat/PRWLR-7763-new-credentials-form ben.carrasco:PROWLER-258-github-social-sign-up ben.carrasco:feat/PRWLR-7933-UI-Api-Key ben.carrasco:attribute-error-in-m365 ben.carrasco:v5.12 ben.carrasco:api-keys-docs-improvement ben.carrasco:iac-in-the-app ben.carrasco:pr-8743 ben.carrasco:PRWLR-8174-add-additional-compliance-information-to-compliance-detail-page-ui ben.carrasco:PRWLR-7170-improve-html-output-in-prowler ben.carrasco:todo-check-class ben.carrasco:review-metadata-aws-neptune ben.carrasco:fix/nextjs-cache-folder-not-found ben.carrasco:update-api-dependency-v5.12-1757406446 ben.carrasco:aws-services-regions-updated-422a8a0f625cee103be5e5a97b9639f49997b949 ben.carrasco:PRWLR-7873-add-all-finding-fields-in-the-ticket-summary-table-jira ben.carrasco:backport/v5.11/pr-8619 ben.carrasco:backport/v5.11/pr-8629 ben.carrasco:backport/v5.11/pr-8638 ben.carrasco:aws-services-regions-updated-fdb76e78207e10cf07660bbfa70665fc6552c0dd ben.carrasco:v5.11 ben.carrasco:nitpicks/7e7fce94-067a-47b0-b6d1-9b1f4ccac28f ben.carrasco:PRWLR-6707-create-a-way-of-reporting-for-prowler-threatscore ben.carrasco:v5.10 ben.carrasco:fix-threatscore-scoring ben.carrasco:PRWLR-7212-recommend-fix ben.carrasco:PRWLR-7784-cloud-providers-connection-filter-status-labels ben.carrasco:add-posthog-integration ben.carrasco:PRWLR-7732-add-mutelist-menu-item ben.carrasco:v5.9 ben.carrasco:alert-autofix-55 ben.carrasco:PRWLR-7212-recommend ben.carrasco:nitpicks/678b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359176 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359175 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359174 ben.carrasco:PRWLR-7606-add-github-provider-to-ui ben.carrasco:fix/kisa-isms-p_compilance ben.carrasco:fix-gh-typo ben.carrasco:backport/v5.9/pr-8265 ben.carrasco:PRWLR-7569-create-different-flows-of-onboarding-in-m-365 ben.carrasco:feature/add-posthog-analytics ben.carrasco:PRWLR-7635-mongodbatlas-additional-checks ben.carrasco:PRWLR-7635-mongodbatlas-provider-foundation ben.carrasco:v5.8 ben.carrasco:PRWLR-6064-change-user-deletion-api-response ben.carrasco:backport/v5.8/pr-8257 ben.carrasco:backport/v5.7/pr-8270 ben.carrasco:update-fixers-docs ben.carrasco:PRWLR-7205-migrate-fixers-to-new-class-structure ben.carrasco:PRWLR-5093-design-the-fixer-class ben.carrasco:PRWLR-7597-fix-and-optimize-search-filters-for-findings-and-resources ben.carrasco:backport/v5.8/pr-8253 ben.carrasco:PRWLR-7512-create-custom-link-component ben.carrasco:PRWLR-7524-improve-api-performance-on-scan-page-using-include-param ben.carrasco:v5.7 ben.carrasco:PRWLR-7386-playwright-setup-nextjs ben.carrasco:backport/v5.7/pr-8087 ben.carrasco:PRWLR-7459-support-for-scanning-remote-git-repositories-specified-by-url ben.carrasco:api-add-missing-map ben.carrasco:PRWLR-7346-create-a-db-helper-to-create-indexes-following-best-practices ben.carrasco:PRWLR-4758-django-must-support-read-only-replica-database-config ben.carrasco:PRWLR-7134-api-performance-tests-for-resources ben.carrasco:fix/update-changelog-and-block-1st-item-in-providers-selector ben.carrasco:psql-proxy ben.carrasco:PRWLR-7292-old-scans-not-shown-when-all-providers-have-connection-fail ben.carrasco:PRWLR-7160-findings-page-scan-id-filter-improvement ben.carrasco:showdown-demo ben.carrasco:backport/v5.7/pr-7928 ben.carrasco:PRWLR-7302-nextjs-analyst ben.carrasco:backport/v5.7/pr-7921 ben.carrasco:PRWLR-7297-django-endpoint ben.carrasco:api-changelog-5.7.2 ben.carrasco:update-changelog ben.carrasco:PRWLR-7318-add-ia-c-provider-tests ben.carrasco:PRWLR-6367-create-a-finding-new-uid-column-to-avoid-length-limitations ben.carrasco:PRWLR-5556-ensure-inactive-users-are-reviewed-and-removed-periodically ben.carrasco:fix/7508-review-fixes ben.carrasco:PRWLR-5989-ensure-that-spf-records-are-published-for-all-exchange ben.carrasco:v5.6 ben.carrasco:backport/v5.6/pr-7746 ben.carrasco:PRWLR-7117-implement-new-findings-latest-endpoint-API-UI ben.carrasco:poc-ui-e2e ben.carrasco:review-changelogs-for-v5.6 ben.carrasco:v5.5 ben.carrasco:PRWLR-6373-Implement-Compliance-Outputs-UI-temp ben.carrasco:PRWLR-6886-sdk-aws-resource-po-c ben.carrasco:PRWLR-6834-exclude-checks-in-prowler-api ben.carrasco:improve-rls-policies ben.carrasco:M365-testing ben.carrasco:PRWLR-6643-capture-sentry-exceptions ben.carrasco:PRWLR-6464-running-into-302-error-subscription-could-not-be-found-7214 ben.carrasco:v4.6 ben.carrasco:PRWLR-6469-review-resource-types-in-check-metadata-2nd-round ben.carrasco:v5.4 ben.carrasco:backport/v4.6/pr-7420 ben.carrasco:v3 ben.carrasco:backport/v4.6/pr-7410 ben.carrasco:backport/v4.6/pr-7330 ben.carrasco:backport/v3/pr-7330 ben.carrasco:improve-deletion-process ben.carrasco:PRWLR-6502-improve-docs-adding-videos ben.carrasco:PRWLR-6472-add-docs-inside-ui-page-for-each-provider ben.carrasco:PRWLR-6455-change-microsoft-365-check-names ben.carrasco:revert-7112-PRWLR-6398-upgrade-poetry-to-v-2-in-prowler ben.carrasco:fix-api-prowler-dep ben.carrasco:backport/v4.6/pr-7205 ben.carrasco:backport/v5.4/pr-7141 ben.carrasco:v5.3 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart-v2 ben.carrasco:backport/v5.2/pr-6947 ben.carrasco:backport/v4.6/pr-6896 ben.carrasco:backport/v4.6/pr-6908 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart ben.carrasco:PRWLR-5860-ensure-security-defaults-is-disabled ben.carrasco:v5.2 ben.carrasco:backport/v3/pr-6823 ben.carrasco:backport/v3/pr-6822 ben.carrasco:backport/v3/pr-6824 ben.carrasco:PRWLR-6129-review-check-report-init-for-region-resource-id-resource-arn ben.carrasco:PRWLR-5956-Export-Artifacts ben.carrasco:PRWLR-6143-fix-error-related-with-detect-secrets ben.carrasco:v5.1 ben.carrasco:v5.0 ben.carrasco:backport/v3/pr-6611 ben.carrasco:backport/v3/pr-6352 ben.carrasco:PRWLR-5573-ensure-scanners-are-in-place-for-open-source-vulnerabilities-in-used-packages ben.carrasco:PRWLR-4669-Roles-Page-UI-with-API-changes ben.carrasco:PRWLR-5831-review-and-fix-all-the-nonetypes-from-prod-logs ben.carrasco:PRWLR-4669-Roles-Page-API-UI ben.carrasco:PRWLR-5516-ensure-branch-protection-is-enforced-on-the-default-branch ben.carrasco:PRWLR-5535-ensure-linear-history-is-required ben.carrasco:backport/v3/pr-6122 ben.carrasco:PRWLR-5696-debug-django-loosing-db-connections ben.carrasco:backport/v4.4/pr-5195 ben.carrasco:PRWLR-5513-enforce-two-approval-requirement-for-code-changes-in-git-hub-repositories ben.carrasco:PRWLR-5550-Scans-New-attribute-Next-scan-schedule ben.carrasco:backport/v3/pr-5961 ben.carrasco:PRWLR-4785-remove-only-logs ben.carrasco:v4.5 ben.carrasco:PRWLR-5281-po-c-development ben.carrasco:PRWLR-5266-review-checks-executed-by-sdk-and-cli ben.carrasco:v4.4 ben.carrasco:PRWLR-4539-iam-customer-managed-policies-should-not-allow-decryption-actions-on-all-kms-keys ben.carrasco:PRWLR-4554-open-search-domains-should-have-at-least-three-data-nodes-with-zone-awareness-enabled ben.carrasco:PRWLR-4969-ensure-elasticsearch-domains-have-at-least-three-dedicated-master-nodes ben.carrasco:prowler-inventory ben.carrasco:PRWLR-4985-fix-resource-type-aws-metadata ben.carrasco:PRWLR-4782-research-about-removing-the-checks-metadata-loading-from-the-check-class ben.carrasco:v4.3 ben.carrasco:PRWLR-4785-review-only-logs-and-remove-it ben.carrasco:PRWLR-4820-error-in-gcp-execution-error-global-key-error-32-accounts ben.carrasco:PRWLR-4778-git-hub-issue-ensure-no-security-groups-allow-ingress-from-wide-open-non-rfc-1918-address-false-positive-4936 ben.carrasco:improve-ocsf ben.carrasco:PRWLR-4674-refactor-cloudfront-service ben.carrasco:dev-memory-management-optimization-poc ben.carrasco:PRWLR-4601-conflicting-documentation-for-mutelist-tags-on-aws-4782 ben.carrasco:PRWLR-4226-bad-dynamo-db-checks-i-ds ben.carrasco:PRWLR-3963-Create-new-tests-for-new-impersonate-account-of-GCP ben.carrasco:revert-4202-bugfix/execute-custom-rules ben.carrasco:v4.2 ben.carrasco:PRWLR-3773-add-listing-functions-to-new-cli ben.carrasco:PRWLR-3778-kubernetes-core-service-error ben.carrasco:PRWLR-3635-Azure-Review-checks-iam_subscription_roles_owner_custom_not_created-and-iam_custom_role_has_permissions_to_administer_resource_locks ben.carrasco:PRWLR-752-run-subservices-by-service-subservices ben.carrasco:PRWLR-2756-OSS-Amazon-Managed-Streaming-for-Apache-Kafka-MSK-Checks ben.carrasco:PRWLR-3666-bug-check-failing-due-to-iam-roles-created-by-aws-control-tower-and-aft-with-administrator-access-policy-3810 ben.carrasco:elasticache-keyerror ben.carrasco:PRWLR-3580-oss-map-k-8-s-checks-to-mitre-att-ck-framework ben.carrasco:cis-azure-fixes ben.carrasco:3865-bug-efs_not_publicly_accessible-does-not-consider-recommended-aws-condition ben.carrasco:v4.1 ben.carrasco:new-public-exposed-checks ben.carrasco:json-ocsf-checkid ben.carrasco:ens_compliance ben.carrasco:work-on-audit-manager ben.carrasco:refactor-audit-info-sagemaker ben.carrasco:bypass-compute-service ben.carrasco:fix-audit-info-tests ben.carrasco:PRWLR-2798-prowler-create-flag-to-remove-output-files-if-sent-to-an-external-provider ben.carrasco:fix-vpc_different_regions ben.carrasco:prowler-2 ben.carrasco:load-once-checks-metadata-info
ben.carrasco:5.22.0 ben.carrasco:5.21.1 ben.carrasco:5.21.0 ben.carrasco:5.20.0 ben.carrasco:5.19.0 ben.carrasco:5.18.3 ben.carrasco:5.18.2 ben.carrasco:5.18.1 ben.carrasco:5.18.0 ben.carrasco:5.17.1 ben.carrasco:5.17.0 ben.carrasco:5.16.1 ben.carrasco:5.16.0 ben.carrasco:5.15.1 ben.carrasco:5.15.0 ben.carrasco:5.14.2 ben.carrasco:5.14.1 ben.carrasco:5.14.0 ben.carrasco:5.13.1 ben.carrasco:5.13.0 ben.carrasco:5.12.3 ben.carrasco:5.12.2 ben.carrasco:5.12.1 ben.carrasco:5.12.0 ben.carrasco:5.11.0 ben.carrasco:5.10.2 ben.carrasco:5.10.1 ben.carrasco:5.10.0 ben.carrasco:5.9.2 ben.carrasco:5.9.1 ben.carrasco:5.9.0 ben.carrasco:5.8.1 ben.carrasco:5.8.0 ben.carrasco:5.7.5 ben.carrasco:5.7.4 ben.carrasco:5.7.3 ben.carrasco:5.7.2 ben.carrasco:5.7.1 ben.carrasco:5.7.0 ben.carrasco:5.6.0 ben.carrasco:5.5.1 ben.carrasco:5.5.0 ben.carrasco:5.4.4 ben.carrasco:5.4.3 ben.carrasco:5.4.2 ben.carrasco:5.4.1 ben.carrasco:5.4.0 ben.carrasco:5.3.0 ben.carrasco:5.2.3 ben.carrasco:5.2.2 ben.carrasco:5.2.1 ben.carrasco:5.2.0 ben.carrasco:5.1.5 ben.carrasco:5.1.4 ben.carrasco:5.1.3 ben.carrasco:5.1.2 ben.carrasco:5.1.1 ben.carrasco:5.1.0 ben.carrasco:5.0.5 ben.carrasco:5.0.4 ben.carrasco:5.0.3 ben.carrasco:5.0.2 ben.carrasco:5.0.1 ben.carrasco:4.6.2 ben.carrasco:5.0.0 ben.carrasco:4.6.1 ben.carrasco:4.6.0 ben.carrasco:4.5.3 ben.carrasco:4.5.2 ben.carrasco:4.5.1 ben.carrasco:4.5.0 ben.carrasco:4.4.1 ben.carrasco:4.4.0 ben.carrasco:4.3.7 ben.carrasco:4.3.6 ben.carrasco:3.16.17 ben.carrasco:4.3.5 ben.carrasco:4.3.4 ben.carrasco:3.16.16 ben.carrasco:3.16.15 ben.carrasco:4.3.3 ben.carrasco:4.3.2 ben.carrasco:4.3.1 ben.carrasco:4.3.0 ben.carrasco:3.16.14 ben.carrasco:3.16.13 ben.carrasco:3.16.12 ben.carrasco:3.16.11 ben.carrasco:3.16.10 ben.carrasco:4.2.4 ben.carrasco:4.2.3 ben.carrasco:3.16.9 ben.carrasco:4.2.2 ben.carrasco:3.16.8 ben.carrasco:3.16.7 ben.carrasco:3.16.6 ben.carrasco:4.2.1 ben.carrasco:4.2.0 ben.carrasco:3.16.5 ben.carrasco:3.16.4 ben.carrasco:3.16.3 ben.carrasco:4.1.0 ben.carrasco:3.16.2 ben.carrasco:3.16.1 ben.carrasco:4.0.1 ben.carrasco:4.0.0 ben.carrasco:3.16.0 ben.carrasco:3.15.3 ben.carrasco:3.15.2 ben.carrasco:3.15.1 ben.carrasco:3.15.0 ben.carrasco:3.14.0 ben.carrasco:3.13.1 ben.carrasco:3.13.0 ben.carrasco:3.12.1 ben.carrasco:3.12.0 ben.carrasco:3.11.3 ben.carrasco:3.11.2 ben.carrasco:3.11.1 ben.carrasco:3.11.0 ben.carrasco:3.10.0 ben.carrasco:3.9.0 ben.carrasco:3.8.2 ben.carrasco:3.8.1 ben.carrasco:3.8.0 ben.carrasco:3.7.2 ben.carrasco:3.7.1 ben.carrasco:3.7.0 ben.carrasco:3.6.1 ben.carrasco:3.6.0 ben.carrasco:3.5.3 ben.carrasco:3.5.2 ben.carrasco:3.5.1 ben.carrasco:3.5.0 ben.carrasco:3.4.1 ben.carrasco:3.4.0 ben.carrasco:3.3.4 ben.carrasco:3.3.3 ben.carrasco:3.3.2 ben.carrasco:3.3.1 ben.carrasco:3.3.0 ben.carrasco:3.2.4 ben.carrasco:3.2.3 ben.carrasco:3.2.2 ben.carrasco:3.2.1 ben.carrasco:3.2.0 ben.carrasco:3.1.4 ben.carrasco:3.1.3 ben.carrasco:3.1.2 ben.carrasco:3.1.1 ben.carrasco:3.1.0 ben.carrasco:3.0.2 ben.carrasco:3.0.1 ben.carrasco:3.0.0 ben.carrasco:2.12.1 ben.carrasco:2.12.0 ben.carrasco:2.11.0 ben.carrasco:2.10.0 ben.carrasco:2.9.0 ben.carrasco:2.8.1 ben.carrasco:2.8.0 ben.carrasco:2.7.0 ben.carrasco:2.6.1 ben.carrasco:2.6.0 ben.carrasco:2.5.0 ben.carrasco:2.4.1 ben.carrasco:2.4.0 ben.carrasco:2.3.0-18122020 ben.carrasco:2.3.0RC ben.carrasco:2.2.0 ben.carrasco:2.0 ben.carrasco:2.0-Beta ben.carrasco:1.6 ben.carrasco:1.5 ben.carrasco:1.4 ben.carrasco:1.3 ben.carrasco:1.2 ben.carrasco:1.1.1 ben.carrasco:1.1 ben.carrasco:1.0

5 Commits
fix/update ... PRWLR-4969

Author SHA1 Message Date
MarioRgzLpz
185d6c482d feat(opensearch): Add check logic with respective unit tests. Add metadata too 2024-10-10 19:56:36 +02:00
MarioRgzLpz
04993f4e76 feat(opensearch): Add new attribute to Domain model in the opensearch service and a test for that change 2024-10-10 19:55:01 +02:00
MarioRgzLpz
2bd9f73c1b refactor(opensearch): Adjust all checks to change from list to dict and change tests to use moto instead of magicMock 2024-10-10 19:12:14 +02:00
MarioRgzLpz
0d743fa179 feat(opensearch): Add check logic with respective unit tests and metadata 2024-10-10 19:06:34 +02:00
MarioRgzLpz
eca94e2e3b feat(opensearch): Change service adding two new attributes to Domain model for new check and to use getters in describe method, use moto in service tests and assert new atributtes 2024-10-10 19:01:35 +02:00
30 changed files with 1352 additions and 668 deletions
Expand all files Collapse all files

230
prowler/providers/aws/services/opensearch/opensearch_service.py
View File

@@ -13,142 +13,145 @@ class OpenSearchService(AWSService):
def __init__(self, provider): def __init__(self, provider):
# Call AWSService's __init__ # Call AWSService's __init__
super().__init__("opensearch", provider) super().__init__("opensearch", provider)
self.opensearch_domains = [] self.opensearch_domains = {}
self.__threading_call__(self._list_domain_names) self.__threading_call__(self._list_domain_names)
self._describe_domain_config(self.regional_clients) self.__threading_call__(
self._describe_domain(self.regional_clients) self._describe_domain_config, self.opensearch_domains.values()
self._list_tags() )
self.__threading_call__(self._describe_domain, self.opensearch_domains.values())
self.__threading_call__(self._list_tags, self.opensearch_domains.values())
def _list_domain_names(self, regional_client): def _list_domain_names(self, regional_client):
logger.info("OpenSearch - listing domain names...") logger.info("OpenSearch - listing domain names...")
try: try:
domains = regional_client.list_domain_names() domains = regional_client.list_domain_names()
for domain in domains["DomainNames"]: for domain in domains["DomainNames"]:
arn = f"arn:{self.audited_partition}:opensearch:{regional_client.region}:{self.audited_account}:domain/{domain['DomainName']}" arn = f"arn:{self.audited_partition}:es:{regional_client.region}:{self.audited_account}:domain/{domain['DomainName']}"
if not self.audit_resources or ( if not self.audit_resources or (
is_resource_filtered(arn, self.audit_resources) is_resource_filtered(arn, self.audit_resources)
): ):
self.opensearch_domains.append( self.opensearch_domains[arn] = OpenSearchDomain(
OpenSearchDomain( arn=arn,
arn=arn, name=domain["DomainName"],
name=domain["DomainName"], region=regional_client.region,
region=regional_client.region,
)
) )
except Exception as error: except Exception as error:
logger.error( logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
) )
def _describe_domain_config(self, regional_clients): def _describe_domain_config(self, domain):
logger.info("OpenSearch - describing domain configurations...") logger.info("OpenSearch - describing domain configurations...")
try: try:
for domain in self.opensearch_domains: regional_client = self.regional_clients[domain.region]
regional_client = regional_clients[domain.region] describe_domain = regional_client.describe_domain_config(
describe_domain = regional_client.describe_domain_config( DomainName=domain.name
DomainName=domain.name )
) for logging_key in [
for logging_key in [ "SEARCH_SLOW_LOGS",
"SEARCH_SLOW_LOGS", "INDEX_SLOW_LOGS",
"INDEX_SLOW_LOGS", "AUDIT_LOGS",
"AUDIT_LOGS", ]:
]: if logging_key in describe_domain["DomainConfig"].get(
if logging_key in describe_domain["DomainConfig"].get( "LogPublishingOptions", {}
"LogPublishingOptions", {} ).get("Options", {}):
).get("Options", {}): domain.logging.append(
domain.logging.append( PublishingLoggingOption(
PublishingLoggingOption( name=logging_key,
name=logging_key, enabled=describe_domain["DomainConfig"][
enabled=describe_domain["DomainConfig"][ "LogPublishingOptions"
"LogPublishingOptions" ]["Options"][logging_key]["Enabled"],
]["Options"][logging_key]["Enabled"],
)
) )
try:
domain.access_policy = loads(
describe_domain["DomainConfig"]["AccessPolicies"]["Options"]
) )
except JSONDecodeError as error:
logger.warning(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
continue
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
def _describe_domain(self, regional_clients):
logger.info("OpenSearch - describing domain configurations...")
try:
for domain in self.opensearch_domains:
regional_client = regional_clients[domain.region]
describe_domain = regional_client.describe_domain(
DomainName=domain.name
)
domain.arn = describe_domain["DomainStatus"]["ARN"]
domain.vpc_endpoints = None
if "Endpoints" in describe_domain["DomainStatus"]:
if "vpc" in describe_domain["DomainStatus"]["Endpoints"]:
domain.vpc_endpoints = [
vpc
for vpc in describe_domain["DomainStatus"][
"Endpoints"
].values()
]
domain.vpc_id = None
if "VPCOptions" in describe_domain["DomainStatus"]:
domain.vpc_id = describe_domain["DomainStatus"]["VPCOptions"][
"VPCId"
]
domain.cognito_options = describe_domain["DomainStatus"][
"CognitoOptions"
]["Enabled"]
domain.encryption_at_rest = describe_domain["DomainStatus"][
"EncryptionAtRestOptions"
]["Enabled"]
domain.node_to_node_encryption = describe_domain["DomainStatus"][
"NodeToNodeEncryptionOptions"
]["Enabled"]
domain.enforce_https = describe_domain["DomainStatus"][
"DomainEndpointOptions"
]["EnforceHTTPS"]
domain.internal_user_database = describe_domain["DomainStatus"][
"AdvancedSecurityOptions"
]["InternalUserDatabaseEnabled"]
domain.saml_enabled = (
describe_domain["DomainStatus"]["AdvancedSecurityOptions"]
.get("SAMLOptions", {})
.get("Enabled", False)
)
domain.update_available = describe_domain["DomainStatus"][
"ServiceSoftwareOptions"
]["UpdateAvailable"]
domain.version = describe_domain["DomainStatus"]["EngineVersion"]
domain.advanced_settings_enabled = describe_domain["DomainStatus"][
"AdvancedSecurityOptions"
]["Enabled"]
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
def _list_tags(self):
logger.info("OpenSearch - List Tags...")
for domain in self.opensearch_domains:
try: try:
regional_client = self.regional_clients[domain.region] domain.access_policy = loads(
response = regional_client.list_tags( describe_domain["DomainConfig"]["AccessPolicies"]["Options"]
ARN=domain.arn, )
)["TagList"] except JSONDecodeError as error:
domain.tags = response logger.warning(
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
) )
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
def _describe_domain(self, domain):
logger.info("OpenSearch - describing domain configurations...")
try:
regional_client = self.regional_clients[domain.region]
describe_domain = regional_client.describe_domain(DomainName=domain.name)
domain.arn = describe_domain["DomainStatus"]["ARN"]
domain.vpc_endpoints = None
if "Endpoints" in describe_domain["DomainStatus"]:
if "vpc" in describe_domain["DomainStatus"]["Endpoints"]:
domain.vpc_endpoints = [
vpc
for vpc in describe_domain["DomainStatus"]["Endpoints"].values()
]
domain.vpc_id = None
if "VPCOptions" in describe_domain["DomainStatus"]:
domain.vpc_id = describe_domain["DomainStatus"]["VPCOptions"].get(
"VPCId", None
)
domain.cognito_options = describe_domain["DomainStatus"][
"CognitoOptions"
].get("Enabled", False)
domain.encryption_at_rest = describe_domain["DomainStatus"][
"EncryptionAtRestOptions"
].get("Enabled", False)
domain.node_to_node_encryption = describe_domain["DomainStatus"][
"NodeToNodeEncryptionOptions"
].get("Enabled", False)
domain.enforce_https = describe_domain["DomainStatus"][
"DomainEndpointOptions"
].get("EnforceHTTPS", False)
domain.internal_user_database = describe_domain["DomainStatus"][
"AdvancedSecurityOptions"
].get("InternalUserDatabaseEnabled", False)
domain.saml_enabled = (
describe_domain["DomainStatus"]["AdvancedSecurityOptions"]
.get("SAMLOptions", {})
.get("Enabled", False)
)
domain.update_available = (
describe_domain["DomainStatus"]
.get("ServiceSoftwareOptions", {"UpdateAvailable": False})
.get("UpdateAvailable", False)
)
domain.version = describe_domain["DomainStatus"].get("EngineVersion", None)
domain.advanced_settings_enabled = describe_domain["DomainStatus"][
"AdvancedSecurityOptions"
].get("Enabled", False)
domain.instance_count = describe_domain["DomainStatus"][
"ClusterConfig"
].get("InstanceCount", None)
domain.zone_awareness_enabled = describe_domain["DomainStatus"][
"ClusterConfig"
].get("ZoneAwarenessEnabled", False)
domain.dedicated_master_count = describe_domain["DomainStatus"][
"ClusterConfig"
].get("DedicatedMasterCount", None)
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
def _list_tags(self, domain):
logger.info("OpenSearch - List Tags...")
try:
regional_client = self.regional_clients[domain.region]
response = regional_client.list_tags(
ARN=domain.arn,
)["TagList"]
domain.tags = response
except Exception as error:
logger.error(
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
class PublishingLoggingOption(BaseModel): class PublishingLoggingOption(BaseModel):
name: str name: str
@@ -171,5 +174,8 @@ class OpenSearchDomain(BaseModel):
saml_enabled: bool = None saml_enabled: bool = None
update_available: bool = None update_available: bool = None
version: str = None version: str = None
instance_count: Optional[int]
zone_awareness_enabled: Optional[bool]
dedicated_master_count: Optional[int]
tags: Optional[list] = [] tags: Optional[list] = []
advanced_settings_enabled: bool = None advanced_settings_enabled: bool = None

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_access_control_enabled/opensearch_service_domains_access_control_enabled.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_access_control_enabled(Check): class opensearch_service_domains_access_control_enabled(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

0
prowler/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_master_nodes/__init__.py Normal file
View File

34
prowler/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_master_nodes/opensearch_service_domains_at_least_three_master_nodes.metadata.json Normal file
View File

@@ -0,0 +1,34 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_at_least_three_master_nodes",
"CheckTitle": "Elasticsearch domains should be configured with at least three dedicated master nodes",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"ServiceName": "elasticsearch",
"SubServiceName": "domain",
"ResourceIdTemplate": "arn:aws:es:{region}:{account-id}:domain/{domain-name}",
"Severity": "medium",
"ResourceType": "AwsElasticsearchDomain",
"Description": "This control checks whether Elasticsearch domains are configured with at least three dedicated primary nodes. This control fails if the domain does not use dedicated primary nodes. Using more than three primary nodes may not provide significant additional availability benefits, while incurring extra costs.",
"Risk": "Without at least three dedicated master nodes, the Elasticsearch domain's fault-tolerance and ability to handle cluster management operations during node failures may be compromised, leading to potential data unavailability.",
"RelatedUrl": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html",
"Remediation": {
"Code": {
"CLI": "aws opensearch update-domain-config --domain-name <domain-name> --cluster-config DedicatedMasterEnabled=true,MasterInstanceCount=3",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html#es-7",
"Terraform": ""
},
"Recommendation": {
"Text": "Configure Elasticsearch domains with at least three dedicated master nodes for high availability and cluster fault tolerance.",
"Url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-configuration-changes.html"
}
},
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

27
prowler/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_master_nodes/opensearch_service_domains_at_least_three_master_nodes.py Normal file
View File

@@ -0,0 +1,27 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.opensearch.opensearch_client import (
opensearch_client,
)
class opensearch_service_domains_at_least_three_master_nodes(Check):
def execute(self):
findings = []
for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata())
report.region = domain.region
report.resource_id = domain.name
report.resource_arn = domain.arn
report.resource_tags = domain.tags
report.status = "FAIL"
report.status_extended = f"Opensearch domain {domain.name} has only {domain.dedicated_master_count} master nodes."
if domain.dedicated_master_count >= 3:
report.status = "PASS"
report.status_extended = f"Opensearch domain {domain.name} has {domain.dedicated_master_count} master nodes."
findings.append(report)
return findings

0
prowler/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled/__init__.py Normal file
View File

34
prowler/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled/opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.metadata.json Normal file
View File

@@ -0,0 +1,34 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled",
"CheckTitle": "Elasticsearch/Opensearch domains should have at least three data nodes",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:{region}:{account-id}:domain/{domain-name}",
"Severity": "medium",
"ResourceType": "AwsElasticsearchDomain",
"Description": "This control checks whether Elasticsearch/Opensearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.",
"Risk": "Without at least three data nodes, the Elasticsearch/Opensearch domain may not be fault-tolerant, leading to a higher risk of data loss or unavailability in case of node failure.",
"RelatedUrl": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html",
"Remediation": {
"Code": {
"CLI": "aws opensearch update-domain-config --domain-name <domain-name> --cluster-config InstanceCount=3,ZoneAwarenessEnabled=true",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html#es-6",
"Terraform": ""
},
"Recommendation": {
"Text": "Modify the Elasticsearch/Opensearch domain to ensure at least three data nodes and enable zone awareness for high availability.",
"Url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-configuration-changes.html"
}
},
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

33
prowler/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled/opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.py Normal file
View File

@@ -0,0 +1,33 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.opensearch.opensearch_client import (
opensearch_client,
)
class opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled(Check):
def execute(self):
findings = []
for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata())
report.region = domain.region
report.resource_id = domain.name
report.resource_arn = domain.arn
report.resource_tags = domain.tags
report.status = "FAIL"
report.status_extended = f"Opensearch domain {domain.name} does not meet the requirements: it has less than 3 data nodes and zone awareness is not enabled."
if domain.instance_count >= 3 and domain.zone_awareness_enabled:
report.status = "PASS"
report.status_extended = f"Opensearch domain {domain.name} has {domain.instance_count} data nodes and zone awareness enabled."
elif domain.instance_count >= 3 and not domain.zone_awareness_enabled:
report.status = "FAIL"
report.status_extended = f"Opensearch domain {domain.name} has {domain.instance_count} data nodes, but zone awareness is not enabled."
elif domain.instance_count < 3 and domain.zone_awareness_enabled:
report.status = "FAIL"
report.status_extended = f"Opensearch domain {domain.name} has zone awareness enabled, but only {domain.instance_count} data nodes."
findings.append(report)
return findings

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_audit_logging_enabled(Check): class opensearch_service_domains_audit_logging_enabled(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_cloudwatch_logging_enabled(Check): class opensearch_service_domains_cloudwatch_logging_enabled(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_encryption_at_rest_enabled(Check): class opensearch_service_domains_encryption_at_rest_enabled(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_https_communications_enforced(Check): class opensearch_service_domains_https_communications_enforced(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_internal_user_database_enabled(Check): class opensearch_service_domains_internal_user_database_enabled(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_node_to_node_encryption_enabled(Check): class opensearch_service_domains_node_to_node_encryption_enabled(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_not_publicly_accessible(Check): class opensearch_service_domains_not_publicly_accessible(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

4
prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py
View File

@@ -7,14 +7,14 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_updated_to_the_latest_service_software_version(Check): class opensearch_service_domains_updated_to_the_latest_service_software_version(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name
report.resource_arn = domain.arn report.resource_arn = domain.arn
report.resource_tags = domain.tags report.resource_tags = domain.tags
report.status = "PASS" report.status = "PASS"
report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} does not have internal updates available." report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} does not have internal updates available."
if domain.update_available: if domain.update_available:
report.status = "FAIL" report.status = "FAIL"
report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} has internal updates available." report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} has internal updates available."

2
prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py
View File

@@ -7,7 +7,7 @@ from prowler.providers.aws.services.opensearch.opensearch_client import (
class opensearch_service_domains_use_cognito_authentication_for_kibana(Check): class opensearch_service_domains_use_cognito_authentication_for_kibana(Check):
def execute(self): def execute(self):
findings = [] findings = []
for domain in opensearch_client.opensearch_domains: for domain in opensearch_client.opensearch_domains.values():
report = Check_Report_AWS(self.metadata()) report = Check_Report_AWS(self.metadata())
report.region = domain.region report.region = domain.region
report.resource_id = domain.name report.resource_id = domain.name

105
tests/providers/aws/services/opensearch/opensearch_service_domains_access_control_enabled/opensearch_service_domains_access_control_enabled_test.py
View File

@@ -1,26 +1,32 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_access_control_enabled: class Test_opensearch_service_domains_access_control_enabled:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled import (
opensearch_service_domains_access_control_enabled, opensearch_service_domains_access_control_enabled,
@@ -30,22 +36,26 @@ class Test_opensearch_service_domains_access_control_enabled:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_no_fine_grained_access_enabled(self): def test_no_fine_grained_access_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain",
OpenSearchDomain( AdvancedSecurityOptions={"Enabled": False},
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn
)
) )
opensearch_client.opensearch_domains[0].advanced_settings_enabled = False
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled import (
opensearch_service_domains_access_control_enabled, opensearch_service_domains_access_control_enabled,
@@ -55,29 +65,36 @@ class Test_opensearch_service_domains_access_control_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"does not have fine grained access control enabled.", f"Opensearch domain {domain["DomainStatus"]["DomainName"]} does not have fine grained access control enabled."
result[0].status_extended, == result[0].status_extended
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
def test_logging_AUDIT_LOGS_enabled(self): @mock_aws
opensearch_client = mock.MagicMock def test_fine_grained_access_enabled(self):
opensearch_client.opensearch_domains = [] opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains.append( domain = opensearch_client.create_domain(
OpenSearchDomain( DomainName="test-domain",
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn AdvancedSecurityOptions={"Enabled": True},
)
) )
opensearch_client.opensearch_domains[0].advanced_settings_enabled = True
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_access_control_enabled.opensearch_service_domains_access_control_enabled import (
opensearch_service_domains_access_control_enabled, opensearch_service_domains_access_control_enabled,
@@ -87,8 +104,12 @@ class Test_opensearch_service_domains_access_control_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search( assert (
"has fine grained access control enabled.", result[0].status_extended f"Opensearch domain {domain["DomainStatus"]["DomainName"]} has fine grained access control enabled."
== result[0].status_extended
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn

115
tests/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_master_nodes/opensearch_service_domains_at_least_three_master_nodes_test.py Normal file
View File

@@ -0,0 +1,115 @@
from unittest import mock
from boto3 import client
from moto import mock_aws
from tests.providers.aws.utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_at_least_three_master_nodes:
@mock_aws
def test_no_domains(self):
client("opensearch", region_name=AWS_REGION_US_EAST_1)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_master_nodes.opensearch_service_domains_at_least_three_master_nodes.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_master_nodes.opensearch_service_domains_at_least_three_master_nodes import (
opensearch_service_domains_at_least_three_master_nodes,
)
check = opensearch_service_domains_at_least_three_master_nodes()
result = check.execute()
assert len(result) == 0
@mock_aws
def test_less_than_three_master_nodes(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain-2-nodes",
ClusterConfig={"DedicatedMasterCount": 2},
)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_master_nodes.opensearch_service_domains_at_least_three_master_nodes.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_master_nodes.opensearch_service_domains_at_least_three_master_nodes import (
opensearch_service_domains_at_least_three_master_nodes,
)
check = opensearch_service_domains_at_least_three_master_nodes()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "Opensearch domain test-domain-2-nodes has only 2 master nodes."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)
@mock_aws
def test_at_least_three_master_nodes(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain-3-nodes",
ClusterConfig={"DedicatedMasterCount": 3},
)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_master_nodes.opensearch_service_domains_at_least_three_master_nodes.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_master_nodes.opensearch_service_domains_at_least_three_master_nodes import (
opensearch_service_domains_at_least_three_master_nodes,
)
check = opensearch_service_domains_at_least_three_master_nodes()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== "Opensearch domain test-domain-3-nodes has 3 master nodes."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)

203
tests/providers/aws/services/opensearch/opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled/opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled_test.py Normal file
View File

@@ -0,0 +1,203 @@
from unittest import mock
from boto3 import client
from moto import mock_aws
from tests.providers.aws.utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled:
@mock_aws
def test_no_domains(self):
client("opensearch", region_name=AWS_REGION_US_EAST_1)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled import (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled,
)
check = (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled()
)
result = check.execute()
assert len(result) == 0
@mock_aws
def test_instance_count_less_than_three_zoneawareness_enabled(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain",
ClusterConfig={"ZoneAwarenessEnabled": True, "InstanceCount": 2},
)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled import (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled,
)
check = (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled()
)
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "Opensearch domain test-domain has zone awareness enabled, but only 2 data nodes."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)
@mock_aws
def test_instance_count_more_than_three_zoneawareness_not_enabled(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain",
ClusterConfig={"ZoneAwarenessEnabled": False, "InstanceCount": 3},
)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled import (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled,
)
check = (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled()
)
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "Opensearch domain test-domain has 3 data nodes, but zone awareness is not enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)
@mock_aws
def test_instance_count_less_than_three_zoneawareness_not_enabled(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain",
ClusterConfig={"ZoneAwarenessEnabled": False, "InstanceCount": 2},
)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled import (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled,
)
check = (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled()
)
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "Opensearch domain test-domain does not meet the requirements: it has less than 3 data nodes and zone awareness is not enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)
@mock_aws
def test_logging_instance_count_more_than_three_zoneawareness_enabled(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain",
ClusterConfig={"ZoneAwarenessEnabled": True, "InstanceCount": 3},
)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled.opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled import (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled,
)
check = (
opensearch_service_domains_at_least_three_nodes_and_zoneawareness_enabled()
)
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== "Opensearch domain test-domain has 3 data nodes and zone awareness enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)

113
tests/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled_test.py
View File

@@ -1,27 +1,32 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
PublishingLoggingOption,
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_audit_logging_enabled: class Test_opensearch_service_domains_audit_logging_enabled:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled import (
opensearch_service_domains_audit_logging_enabled, opensearch_service_domains_audit_logging_enabled,
@@ -31,22 +36,29 @@ class Test_opensearch_service_domains_audit_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_no_logging_enabled(self): def test_no_logging_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-logging",
OpenSearchDomain( LogPublishingOptions={
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn "SEARCH_SLOW_LOGS": {
) "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:search-logs:*"
},
},
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled import (
opensearch_service_domains_audit_logging_enabled, opensearch_service_domains_audit_logging_enabled,
@@ -56,29 +68,40 @@ class Test_opensearch_service_domains_audit_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search("AUDIT_LOGS disabled", result[0].status_extended) assert (
assert result[0].resource_id == domain_name result[0].status_extended
assert result[0].resource_arn == domain_arn == "Opensearch domain test-domain-no-logging AUDIT_LOGS disabled."
def test_logging_AUDIT_LOGS_enabled(self):
opensearch_client = mock.MagicMock
opensearch_client.opensearch_domains = []
opensearch_client.opensearch_domains.append(
OpenSearchDomain(
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn
) )
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)
@mock_aws
def test_logging_AUDIT_LOGS_enabled(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain-logging",
LogPublishingOptions={
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:audit-logs:*",
"Enabled": True,
},
},
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
opensearch_client.opensearch_domains[0].logging.append( OpenSearchService,
PublishingLoggingOption(name="AUDIT_LOGS", enabled=True)
) )
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_audit_logging_enabled.opensearch_service_domains_audit_logging_enabled import (
opensearch_service_domains_audit_logging_enabled, opensearch_service_domains_audit_logging_enabled,
@@ -88,6 +111,12 @@ class Test_opensearch_service_domains_audit_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search("AUDIT_LOGS enabled", result[0].status_extended) assert (
assert result[0].resource_id == domain_name result[0].status_extended
assert result[0].resource_arn == domain_arn == "Opensearch domain test-domain-logging AUDIT_LOGS enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)

206
tests/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled_test.py
View File

@@ -1,27 +1,32 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
PublishingLoggingOption,
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_cloudwatch_logging_enabled: class Test_opensearch_service_domains_cloudwatch_logging_enabled:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import (
opensearch_service_domains_cloudwatch_logging_enabled, opensearch_service_domains_cloudwatch_logging_enabled,
@@ -31,22 +36,30 @@ class Test_opensearch_service_domains_cloudwatch_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_no_logging_enabled(self): def test_no_logging_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-logging",
OpenSearchDomain( LogPublishingOptions={
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn "AUDIT_LOGS": {
) "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:search-logs:*",
"Enabled": True,
},
},
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import (
opensearch_service_domains_cloudwatch_logging_enabled, opensearch_service_domains_cloudwatch_logging_enabled,
@@ -56,32 +69,40 @@ class Test_opensearch_service_domains_cloudwatch_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS disabled", result[0].status_extended
result[0].status_extended, == "Opensearch domain test-domain-no-logging SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS disabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
@mock_aws
def test_logging_SEARCH_SLOW_LOGS_enabled(self): def test_logging_SEARCH_SLOW_LOGS_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-index-logging",
OpenSearchDomain( LogPublishingOptions={
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn "SEARCH_SLOW_LOGS": {
) "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:search-logs:*",
"Enabled": True,
},
},
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
opensearch_client.opensearch_domains[0].logging.append( OpenSearchService,
PublishingLoggingOption(name="SEARCH_SLOW_LOGS", enabled=True)
) )
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import (
opensearch_service_domains_cloudwatch_logging_enabled, opensearch_service_domains_cloudwatch_logging_enabled,
@@ -91,32 +112,40 @@ class Test_opensearch_service_domains_cloudwatch_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"SEARCH_SLOW_LOGS enabled but INDEX_SLOW_LOGS disabled", result[0].status_extended
result[0].status_extended, == "Opensearch domain test-domain-no-index-logging SEARCH_SLOW_LOGS enabled but INDEX_SLOW_LOGS disabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
@mock_aws
def test_logging_INDEX_SLOW_LOGS_enabled(self): def test_logging_INDEX_SLOW_LOGS_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-search-logging",
OpenSearchDomain( LogPublishingOptions={
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn "INDEX_SLOW_LOGS": {
) "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:search-logs:*",
"Enabled": True,
},
},
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
opensearch_client.opensearch_domains[0].logging.append( OpenSearchService,
PublishingLoggingOption(name="INDEX_SLOW_LOGS", enabled=True)
) )
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import (
opensearch_service_domains_cloudwatch_logging_enabled, opensearch_service_domains_cloudwatch_logging_enabled,
@@ -126,34 +155,44 @@ class Test_opensearch_service_domains_cloudwatch_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"INDEX_SLOW_LOGS enabled but SEARCH_SLOW_LOGS disabled", result[0].status_extended
result[0].status_extended, == "Opensearch domain test-domain-no-search-logging INDEX_SLOW_LOGS enabled but SEARCH_SLOW_LOGS disabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
@mock_aws
def test_logging_INDEX_SLOW_LOGS_and_SEARCH_SLOW_LOGS_enabled(self): def test_logging_INDEX_SLOW_LOGS_and_SEARCH_SLOW_LOGS_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-logging",
OpenSearchDomain( LogPublishingOptions={
name=domain_name, region=AWS_REGION_EU_WEST_1, arn=domain_arn "SEARCH_SLOW_LOGS": {
) "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:search-logs:*",
"Enabled": True,
},
"INDEX_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:search-logs:*",
"Enabled": True,
},
},
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
logging_options = [ OpenSearchService,
PublishingLoggingOption(name="INDEX_SLOW_LOGS", enabled=True), )
PublishingLoggingOption(name="SEARCH_SLOW_LOGS", enabled=True),
] mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
opensearch_client.opensearch_domains[0].logging.extend(logging_options)
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_cloudwatch_logging_enabled.opensearch_service_domains_cloudwatch_logging_enabled import (
opensearch_service_domains_cloudwatch_logging_enabled, opensearch_service_domains_cloudwatch_logging_enabled,
@@ -163,9 +202,12 @@ class Test_opensearch_service_domains_cloudwatch_logging_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search( assert (
"SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS enabled", result[0].status_extended
result[0].status_extended, == "Opensearch domain test-domain-logging SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn

106
tests/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled_test.py
View File

@@ -1,26 +1,32 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_encryption_at_rest_enabled: class Test_opensearch_service_domains_encryption_at_rest_enabled:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled import (
opensearch_service_domains_encryption_at_rest_enabled, opensearch_service_domains_encryption_at_rest_enabled,
@@ -30,25 +36,25 @@ class Test_opensearch_service_domains_encryption_at_rest_enabled:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_no_encryption_at_rest_enabled(self): def test_no_encryption_at_rest_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-encryption",
OpenSearchDomain( EncryptionAtRestOptions={"Enabled": False},
name=domain_name,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
encryption_at_rest=False,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled import (
opensearch_service_domains_encryption_at_rest_enabled, opensearch_service_domains_encryption_at_rest_enabled,
@@ -58,31 +64,35 @@ class Test_opensearch_service_domains_encryption_at_rest_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"does not have encryption at-rest enabled", result[0].status_extended result[0].status_extended
== "Opensearch domain test-domain-no-encryption does not have encryption at-rest enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
@mock_aws
def test_encryption_at_rest_enabled(self): def test_encryption_at_rest_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-encryption-at-rest",
OpenSearchDomain( EncryptionAtRestOptions={"Enabled": True},
name=domain_name,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
encryption_at_rest=True,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_encryption_at_rest_enabled.opensearch_service_domains_encryption_at_rest_enabled import (
opensearch_service_domains_encryption_at_rest_enabled, opensearch_service_domains_encryption_at_rest_enabled,
@@ -92,6 +102,12 @@ class Test_opensearch_service_domains_encryption_at_rest_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search("has encryption at-rest enabled", result[0].status_extended) assert (
assert result[0].resource_id == domain_name result[0].status_extended
assert result[0].resource_arn == domain_arn == "Opensearch domain test-domain-encryption-at-rest has encryption at-rest enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)

110
tests/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced_test.py
View File

@@ -1,26 +1,32 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_https_communications_enforced: class Test_opensearch_service_domains_https_communications_enforced:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced import (
opensearch_service_domains_https_communications_enforced, opensearch_service_domains_https_communications_enforced,
@@ -30,25 +36,27 @@ class Test_opensearch_service_domains_https_communications_enforced:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_no_https_enabled(self): def test_no_https_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-https",
OpenSearchDomain( DomainEndpointOptions={
name=domain_name, "EnforceHTTPS": False,
region=AWS_REGION_EU_WEST_1, },
arn=domain_arn,
enforce_https=False,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced import (
opensearch_service_domains_https_communications_enforced, opensearch_service_domains_https_communications_enforced,
@@ -58,31 +66,37 @@ class Test_opensearch_service_domains_https_communications_enforced:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"does not have enforce HTTPS enabled", result[0].status_extended result[0].status_extended
== "Opensearch domain test-domain-no-https does not have enforce HTTPS enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
@mock_aws
def test_https_enabled(self): def test_https_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-https",
OpenSearchDomain( DomainEndpointOptions={
name=domain_name, "EnforceHTTPS": True,
region=AWS_REGION_EU_WEST_1, },
arn=domain_arn,
enforce_https=True,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_https_communications_enforced.opensearch_service_domains_https_communications_enforced import (
opensearch_service_domains_https_communications_enforced, opensearch_service_domains_https_communications_enforced,
@@ -92,6 +106,12 @@ class Test_opensearch_service_domains_https_communications_enforced:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search("has enforce HTTPS enabled", result[0].status_extended) assert (
assert result[0].resource_id == domain_name result[0].status_extended
assert result[0].resource_arn == domain_arn == "Opensearch domain test-domain-https has enforce HTTPS enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)

107
tests/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled_test.py
View File

@@ -1,26 +1,32 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_internal_user_database_enabled: class Test_opensearch_service_domains_internal_user_database_enabled:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled import (
opensearch_service_domains_internal_user_database_enabled, opensearch_service_domains_internal_user_database_enabled,
@@ -30,25 +36,25 @@ class Test_opensearch_service_domains_internal_user_database_enabled:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_internal_database_disabled(self): def test_internal_database_disabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain",
OpenSearchDomain( AdvancedSecurityOptions={"InternalUserDatabaseEnabled": False},
name=domain_name,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
internal_user_database=False,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled import (
opensearch_service_domains_internal_user_database_enabled, opensearch_service_domains_internal_user_database_enabled,
@@ -58,32 +64,35 @@ class Test_opensearch_service_domains_internal_user_database_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search( assert (
"does not have internal user database enabled", result[0].status_extended
result[0].status_extended, == "Opensearch domain test-domain does not have internal user database enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
@mock_aws
def test_internal_database_enabled(self): def test_internal_database_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain",
OpenSearchDomain( AdvancedSecurityOptions={"InternalUserDatabaseEnabled": True},
name=domain_name,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
internal_user_database=True,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_internal_user_database_enabled.opensearch_service_domains_internal_user_database_enabled import (
opensearch_service_domains_internal_user_database_enabled, opensearch_service_domains_internal_user_database_enabled,
@@ -93,8 +102,12 @@ class Test_opensearch_service_domains_internal_user_database_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"has internal user database enabled", result[0].status_extended result[0].status_extended
== "Opensearch domain test-domain has internal user database enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn

107
tests/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled_test.py
View File

@@ -1,26 +1,32 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_node_to_node_encryption_enabled: class Test_opensearch_service_domains_node_to_node_encryption_enabled:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled import (
opensearch_service_domains_node_to_node_encryption_enabled, opensearch_service_domains_node_to_node_encryption_enabled,
@@ -30,25 +36,25 @@ class Test_opensearch_service_domains_node_to_node_encryption_enabled:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_no_encryption_enabled(self): def test_no_encryption_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-encryption",
OpenSearchDomain( NodeToNodeEncryptionOptions={"Enabled": False},
name=domain_name,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
node_to_node_encryption=False,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled import (
opensearch_service_domains_node_to_node_encryption_enabled, opensearch_service_domains_node_to_node_encryption_enabled,
@@ -58,32 +64,35 @@ class Test_opensearch_service_domains_node_to_node_encryption_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search( assert (
"does not have node-to-node encryption enabled", result[0].status_extended
result[0].status_extended, == "Opensearch domain test-domain-no-encryption does not have node-to-node encryption enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
@mock_aws
def test_encryption_enabled(self): def test_encryption_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-encryption",
OpenSearchDomain( NodeToNodeEncryptionOptions={"Enabled": True},
name=domain_name,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
node_to_node_encryption=True,
)
) )
opensearch_client.opensearch_domains[0].logging = [] from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_node_to_node_encryption_enabled.opensearch_service_domains_node_to_node_encryption_enabled import (
opensearch_service_domains_node_to_node_encryption_enabled, opensearch_service_domains_node_to_node_encryption_enabled,
@@ -93,8 +102,12 @@ class Test_opensearch_service_domains_node_to_node_encryption_enabled:
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert search( assert (
"has node-to-node encryption enabled", result[0].status_extended result[0].status_extended
== "Opensearch domain test-domain-encryption has node-to-node encryption enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn

15
tests/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible_test.py
View File

@@ -306,7 +306,7 @@ class Test_opensearch_service_domains_not_publicly_accessible:
def test_domain_inside_vpc(self): def test_domain_inside_vpc(self):
opensearch_client = mock.MagicMock opensearch_client = mock.MagicMock
opensearch_client.opensearch_domains = [] opensearch_client.opensearch_domains = {}
aws_provider = set_mocked_aws_provider([AWS_REGION_US_WEST_2]) aws_provider = set_mocked_aws_provider([AWS_REGION_US_WEST_2])
@@ -324,13 +324,12 @@ class Test_opensearch_service_domains_not_publicly_accessible:
opensearch_service_domains_not_publicly_accessible, opensearch_service_domains_not_publicly_accessible,
) )
opensearch_client.opensearch_domains.append( domain_arn = f"arn:aws:es:{AWS_REGION_US_WEST_2}:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}"
OpenSearchDomain( opensearch_client.opensearch_domains[domain_arn] = OpenSearchDomain(
name=domain_name, name=domain_name,
region=AWS_REGION_US_WEST_2, region=AWS_REGION_US_WEST_2,
arn=f"arn:aws:es:{AWS_REGION_US_WEST_2}:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}", arn=domain_arn,
vpc_id="vpc-123456", vpc_id="vpc-123456",
)
) )
check = opensearch_service_domains_not_publicly_accessible() check = opensearch_service_domains_not_publicly_accessible()

187
tests/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version_test.py
View File

@@ -1,26 +1,76 @@
from re import search
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( import botocore
OpenSearchDomain, from boto3 import client
) from moto import mock_aws
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
make_api_call = botocore.client.BaseClient._make_api_call
def mock_make_api_call(self, operation_name, kwarg):
if operation_name == "ListDomainNames":
return {
"DomainNames": [
{
"DomainName": "test-domain-updates",
},
]
}
if operation_name == "DescribeDomain":
return {
"DomainStatus": {
"DomainName": "test-domain-updates",
"EngineVersion": "OpenSearch2.0",
"ServiceSoftwareOptions": {
"UpdateAvailable": True,
},
"ARN": f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/test-domain-updates",
"ClusterConfig": {
"InstanceCount": 1,
},
"AdvancedSecurityOptions": {
"InternalUserDatabaseEnabled": False,
},
"CognitoOptions": {
"Enabled": False,
},
"EncryptionAtRestOptions": {
"Enabled": False,
},
"NodeToNodeEncryptionOptions": {
"Enabled": False,
},
"DomainEndpointOptions": {
"EnforceHTTPS": False,
},
}
}
return make_api_call(self, operation_name, kwarg)
class Test_opensearch_service_domains_updated_to_the_latest_service_software_version: class Test_opensearch_service_domains_updated_to_the_latest_service_software_version:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version import (
opensearch_service_domains_updated_to_the_latest_service_software_version, opensearch_service_domains_updated_to_the_latest_service_software_version,
@@ -32,61 +82,22 @@ class Test_opensearch_service_domains_updated_to_the_latest_service_software_ver
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
def test_internal_update_available(self): @mock_aws
opensearch_client = mock.MagicMock @mock.patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
opensearch_client.opensearch_domains = [] def test_updates_available(self):
opensearch_client.opensearch_domains.append( client("opensearch", region_name=AWS_REGION_US_EAST_1)
OpenSearchDomain( from prowler.providers.aws.services.opensearch.opensearch_service import (
name=domain_name, OpenSearchService,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
update_available=False,
)
) )
opensearch_client.opensearch_domains[0].logging = []
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
new=opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version import (
opensearch_service_domains_updated_to_the_latest_service_software_version,
)
check = (
opensearch_service_domains_updated_to_the_latest_service_software_version()
)
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
"does not have internal updates available", result[0].status_extended
)
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
def test_internal_database_enabled(self):
opensearch_client = mock.MagicMock
opensearch_client.opensearch_domains = []
opensearch_client.opensearch_domains.append(
OpenSearchDomain(
name=domain_name,
region=AWS_REGION_EU_WEST_1,
arn=domain_arn,
update_available=True,
)
)
opensearch_client.opensearch_domains[0].logging = []
with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService",
new=opensearch_client,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_client",
new=opensearch_client,
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version import (
opensearch_service_domains_updated_to_the_latest_service_software_version, opensearch_service_domains_updated_to_the_latest_service_software_version,
@@ -98,6 +109,52 @@ class Test_opensearch_service_domains_updated_to_the_latest_service_software_ver
result = check.execute() result = check.execute()
assert len(result) == 1 assert len(result) == 1
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert search("has internal updates available", result[0].status_extended) assert (
assert result[0].resource_id == domain_name result[0].status_extended
assert result[0].resource_arn == domain_arn == "Opensearch domain test-domain-updates with version OpenSearch2.0 has internal updates available."
)
assert result[0].resource_id == "test-domain-updates"
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/test-domain-updates"
)
@mock_aws
def test_no_updates_availables(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
domain = opensearch_client.create_domain(
DomainName="test-domain-no-updates",
SoftwareUpdateOptions={"AutoSoftwareUpdateEnabled": True},
)
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=mocked_aws_provider,
), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_client",
new=OpenSearchService(mocked_aws_provider),
):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_updated_to_the_latest_service_software_version.opensearch_service_domains_updated_to_the_latest_service_software_version import (
opensearch_service_domains_updated_to_the_latest_service_software_version,
)
check = (
opensearch_service_domains_updated_to_the_latest_service_software_version()
)
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Opensearch domain test-domain-no-updates with version {domain["DomainStatus"]["EngineVersion"]} does not have internal updates available."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
)

139
tests/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana_test.py
View File

@@ -1,25 +1,32 @@
from unittest import mock from unittest import mock
from prowler.providers.aws.services.opensearch.opensearch_service import ( from boto3 import client
OpenSearchDomain, from moto import mock_aws
)
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
domain_name = "test-domain" from tests.providers.aws.utils import (
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{domain_name}" AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
class Test_opensearch_service_domains_use_cognito_authentication_for_kibana: class Test_opensearch_service_domains_use_cognito_authentication_for_kibana:
@mock_aws
def test_no_domains(self): def test_no_domains(self):
opensearch_client = mock.MagicMock client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = []
from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService,
)
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import (
opensearch_service_domains_use_cognito_authentication_for_kibana, opensearch_service_domains_use_cognito_authentication_for_kibana,
@@ -29,25 +36,24 @@ class Test_opensearch_service_domains_use_cognito_authentication_for_kibana:
result = check.execute() result = check.execute()
assert len(result) == 0 assert len(result) == 0
@mock_aws
def test_neither_cognito_nor_saml_enabled(self): def test_neither_cognito_nor_saml_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-no-cognito-no-saml",
OpenSearchDomain( )
name=domain_name, from prowler.providers.aws.services.opensearch.opensearch_service import (
region=AWS_REGION_EU_WEST_1, OpenSearchService,
arn=domain_arn,
cognito_options=False,
saml_enabled=False,
)
) )
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import (
opensearch_service_domains_use_cognito_authentication_for_kibana, opensearch_service_domains_use_cognito_authentication_for_kibana,
@@ -59,31 +65,33 @@ class Test_opensearch_service_domains_use_cognito_authentication_for_kibana:
assert result[0].status == "FAIL" assert result[0].status == "FAIL"
assert ( assert (
result[0].status_extended result[0].status_extended
== f"Opensearch domain {domain_name} has neither Amazon Cognito nor SAML authentication for Kibana enabled." == "Opensearch domain test-domain-no-cognito-no-saml has neither Amazon Cognito nor SAML authentication for Kibana enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
assert result[0].resource_tags == []
@mock_aws
def test_cognito_enabled(self): def test_cognito_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-cognito",
OpenSearchDomain( CognitoOptions={"Enabled": True},
name=domain_name, )
region=AWS_REGION_EU_WEST_1, from prowler.providers.aws.services.opensearch.opensearch_service import (
arn=domain_arn, OpenSearchService,
cognito_options=True,
)
) )
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import (
opensearch_service_domains_use_cognito_authentication_for_kibana, opensearch_service_domains_use_cognito_authentication_for_kibana,
@@ -95,32 +103,33 @@ class Test_opensearch_service_domains_use_cognito_authentication_for_kibana:
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert ( assert (
result[0].status_extended result[0].status_extended
== f"Opensearch domain {domain_name} has either Amazon Cognito or SAML authentication for Kibana enabled." == "Opensearch domain test-domain-cognito has either Amazon Cognito or SAML authentication for Kibana enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
assert result[0].resource_tags == []
assert result[0].resource_arn == domain_arn
@mock_aws
def test_saml_enabled(self): def test_saml_enabled(self):
opensearch_client = mock.MagicMock opensearch_client = client("opensearch", region_name=AWS_REGION_US_EAST_1)
opensearch_client.opensearch_domains = [] domain = opensearch_client.create_domain(
opensearch_client.opensearch_domains.append( DomainName="test-domain-saml",
OpenSearchDomain( AdvancedSecurityOptions={"SAMLOptions": {"Enabled": True}},
name=domain_name, )
region=AWS_REGION_EU_WEST_1, from prowler.providers.aws.services.opensearch.opensearch_service import (
arn=domain_arn, OpenSearchService,
saml_enabled=True,
)
) )
mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch( with mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service.OpenSearchService", "prowler.providers.common.provider.Provider.get_global_provider",
opensearch_client, return_value=mocked_aws_provider,
), mock.patch( ), mock.patch(
"prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client", "prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_client",
new=opensearch_client, new=OpenSearchService(mocked_aws_provider),
): ):
from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import ( from prowler.providers.aws.services.opensearch.opensearch_service_domains_use_cognito_authentication_for_kibana.opensearch_service_domains_use_cognito_authentication_for_kibana import (
opensearch_service_domains_use_cognito_authentication_for_kibana, opensearch_service_domains_use_cognito_authentication_for_kibana,
@@ -132,10 +141,10 @@ class Test_opensearch_service_domains_use_cognito_authentication_for_kibana:
assert result[0].status == "PASS" assert result[0].status == "PASS"
assert ( assert (
result[0].status_extended result[0].status_extended
== f"Opensearch domain {domain_name} has either Amazon Cognito or SAML authentication for Kibana enabled." == "Opensearch domain test-domain-saml has either Amazon Cognito or SAML authentication for Kibana enabled."
)
assert result[0].resource_id == domain["DomainStatus"]["DomainName"]
assert (
result[0].resource_arn
== f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/{domain["DomainStatus"]["DomainName"]}"
) )
assert result[0].region == AWS_REGION_EU_WEST_1
assert result[0].resource_id == domain_name
assert result[0].resource_arn == domain_arn
assert result[0].resource_tags == []
assert result[0].resource_arn == domain_arn

127
tests/providers/aws/services/opensearch/opensearch_service_test.py
View File

@@ -2,6 +2,8 @@ from json import dumps
from unittest.mock import patch from unittest.mock import patch
import botocore import botocore
from boto3 import client
from moto import mock_aws
from prowler.providers.aws.services.opensearch.opensearch_service import ( from prowler.providers.aws.services.opensearch.opensearch_service import (
OpenSearchService, OpenSearchService,
@@ -13,7 +15,7 @@ from tests.providers.aws.utils import (
) )
test_domain_name = "test" test_domain_name = "test"
domain_arn = f"arn:aws:es:us-west-2:{AWS_ACCOUNT_NUMBER}:domain/{test_domain_name}" domain_arn = f"arn:aws:es:eu-west-1:{AWS_ACCOUNT_NUMBER}:domain/{test_domain_name}"
policy_data = { policy_data = {
"Version": "2012-10-17", "Version": "2012-10-17",
@@ -56,35 +58,6 @@ def mock_make_api_call(self, operation_name, kwarg):
}, },
} }
} }
if operation_name == "DescribeDomain":
return {
"DomainStatus": {
"ARN": domain_arn,
"Endpoints": {
"vpc": "vpc-endpoint-h2dsd34efgyghrtguk5gt6j2foh4.us-east-1.es.amazonaws.com"
},
"EngineVersion": "opensearch-version1",
"VPCOptions": {
"VPCId": "test-vpc-id",
},
"CognitoOptions": {"Enabled": True},
"EncryptionAtRestOptions": {"Enabled": True},
"NodeToNodeEncryptionOptions": {"Enabled": True},
"AdvancedOptions": {"string": "string"},
"LogPublishingOptions": {
"string": {
"CloudWatchLogsLogGroupArn": "string",
"Enabled": True | False,
}
},
"ServiceSoftwareOptions": {"UpdateAvailable": True},
"DomainEndpointOptions": {"EnforceHTTPS": True},
"AdvancedSecurityOptions": {
"InternalUserDatabaseEnabled": True,
"SAMLOptions": {"Enabled": True},
},
}
}
if operation_name == "ListTags": if operation_name == "ListTags":
return { return {
"TagList": [ "TagList": [
@@ -132,45 +105,85 @@ class Test_OpenSearchService_Service:
aws_provider = set_mocked_aws_provider([]) aws_provider = set_mocked_aws_provider([])
opensearch = OpenSearchService(aws_provider) opensearch = OpenSearchService(aws_provider)
assert len(opensearch.opensearch_domains) == 1 assert len(opensearch.opensearch_domains) == 1
assert opensearch.opensearch_domains[0].name == test_domain_name assert opensearch.opensearch_domains[domain_arn].name == test_domain_name
assert opensearch.opensearch_domains[0].region == AWS_REGION_EU_WEST_1 assert opensearch.opensearch_domains[domain_arn].region == AWS_REGION_EU_WEST_1
# Test OpenSearchService describ domain config # Test OpenSearchService describ domain config
def test_describe_domain_config(self): def test_describe_domain_config(self):
aws_provider = set_mocked_aws_provider([]) aws_provider = set_mocked_aws_provider([])
opensearch = OpenSearchService(aws_provider) opensearch = OpenSearchService(aws_provider)
assert len(opensearch.opensearch_domains) == 1 assert len(opensearch.opensearch_domains) == 1
assert opensearch.opensearch_domains[0].name == test_domain_name assert opensearch.opensearch_domains[domain_arn].name == test_domain_name
assert opensearch.opensearch_domains[0].region == AWS_REGION_EU_WEST_1 assert opensearch.opensearch_domains[domain_arn].region == AWS_REGION_EU_WEST_1
assert opensearch.opensearch_domains[0].access_policy assert opensearch.opensearch_domains[domain_arn].access_policy
assert opensearch.opensearch_domains[0].logging[0].name == "SEARCH_SLOW_LOGS" assert (
assert opensearch.opensearch_domains[0].logging[0].enabled opensearch.opensearch_domains[domain_arn].logging[0].name
assert opensearch.opensearch_domains[0].logging[1].name == "INDEX_SLOW_LOGS" == "SEARCH_SLOW_LOGS"
assert opensearch.opensearch_domains[0].logging[1].enabled )
assert opensearch.opensearch_domains[0].logging[2].name == "AUDIT_LOGS" assert opensearch.opensearch_domains[domain_arn].logging[0].enabled
assert opensearch.opensearch_domains[0].logging[2].enabled assert (
opensearch.opensearch_domains[domain_arn].logging[1].name
== "INDEX_SLOW_LOGS"
)
assert opensearch.opensearch_domains[domain_arn].logging[1].enabled
assert opensearch.opensearch_domains[domain_arn].logging[2].name == "AUDIT_LOGS"
assert opensearch.opensearch_domains[domain_arn].logging[2].enabled
# Test OpenSearchService describ domain # Test OpenSearchService describ domain
@mock_aws
def test_describe_domain(self): def test_describe_domain(self):
opensearch_client = client("opensearch", region_name=AWS_REGION_EU_WEST_1)
domain = opensearch_client.create_domain(
DomainName=test_domain_name,
EncryptionAtRestOptions={"Enabled": True},
ClusterConfig={
"InstanceCount": 1,
"ZoneAwarenessEnabled": True,
"DedicatedMasterCount": 1,
},
NodeToNodeEncryptionOptions={"Enabled": True},
AdvancedSecurityOptions={
"Enabled": True,
"InternalUserDatabaseEnabled": True,
"SAMLOptions": {"Enabled": True},
},
CognitoOptions={"Enabled": True},
VPCOptions={
"SubnetIds": ["test-subnet-id"],
"SecurityGroupIds": ["test-security-group-id"],
},
DomainEndpointOptions={"EnforceHTTPS": True},
AccessPolicies=policy_json,
EngineVersion="opensearch-version1",
TagList=[
{"Key": "test", "Value": "test"},
],
)
aws_provider = set_mocked_aws_provider([]) aws_provider = set_mocked_aws_provider([])
opensearch = OpenSearchService(aws_provider) opensearch = OpenSearchService(aws_provider)
domain_arn = domain["DomainStatus"]["ARN"]
assert len(opensearch.opensearch_domains) == 1 assert len(opensearch.opensearch_domains) == 1
assert opensearch.opensearch_domains[0].name == test_domain_name assert opensearch.opensearch_domains[domain_arn].name == test_domain_name
assert opensearch.opensearch_domains[0].region == AWS_REGION_EU_WEST_1 assert opensearch.opensearch_domains[domain_arn].region == AWS_REGION_EU_WEST_1
assert opensearch.opensearch_domains[0].arn == domain_arn assert opensearch.opensearch_domains[domain_arn].arn == domain_arn
assert opensearch.opensearch_domains[0].access_policy assert opensearch.opensearch_domains[domain_arn].access_policy
assert opensearch.opensearch_domains[0].vpc_endpoints == [ assert opensearch.opensearch_domains[domain_arn].vpc_endpoints == [
"vpc-endpoint-h2dsd34efgyghrtguk5gt6j2foh4.us-east-1.es.amazonaws.com" "test.eu-west-1.es.amazonaws.com"
] ]
assert opensearch.opensearch_domains[0].vpc_id == "test-vpc-id" assert not opensearch.opensearch_domains[domain_arn].vpc_id
assert opensearch.opensearch_domains[0].cognito_options assert opensearch.opensearch_domains[domain_arn].cognito_options
assert opensearch.opensearch_domains[0].encryption_at_rest assert opensearch.opensearch_domains[domain_arn].encryption_at_rest
assert opensearch.opensearch_domains[0].node_to_node_encryption assert opensearch.opensearch_domains[domain_arn].node_to_node_encryption
assert opensearch.opensearch_domains[0].enforce_https assert opensearch.opensearch_domains[domain_arn].enforce_https
assert opensearch.opensearch_domains[0].internal_user_database assert opensearch.opensearch_domains[domain_arn].internal_user_database
assert opensearch.opensearch_domains[0].saml_enabled assert opensearch.opensearch_domains[domain_arn].saml_enabled
assert opensearch.opensearch_domains[0].update_available assert not opensearch.opensearch_domains[domain_arn].update_available
assert opensearch.opensearch_domains[0].version == "opensearch-version1" assert (
assert opensearch.opensearch_domains[0].tags == [ opensearch.opensearch_domains[domain_arn].version == "opensearch-version1"
)
assert opensearch.opensearch_domains[domain_arn].instance_count == 1
assert opensearch.opensearch_domains[domain_arn].zone_awareness_enabled
assert opensearch.opensearch_domains[domain_arn].dedicated_master_count == 1
assert opensearch.opensearch_domains[domain_arn].tags == [
{"Key": "test", "Value": "test"}, {"Key": "test", "Value": "test"},
] ]